23542300x8000000000000000423950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:27.645{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850D23E55252F80CD0DD8120A4EE6710,SHA256=4E9B0AEDD0E2EA6103170A95432EE3C7A050C8EB92F55CF5CE1C0848EC4C0A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:27.465{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C69D8F070379985747368B68B70904C,SHA256=1EDAB8E15035BF88CEDD8116B0668682948AF4A3F29508305E5BA29B0FAB0989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:28.677{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C298F9FFAB9586A764565FF4B7A0D2,SHA256=47A8D0C75AA54176C61C1089D988A503E546E8F6F2C91CABB223C12AF118C600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:28.481{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74794F09CDA0047D84C3E3F1CA988562,SHA256=1B292FF365F3CB153AA9E38B7B59CDEB5F4AFDAF0C4A28BDB27652440D5A8CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000423953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:29.257{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62015-false10.0.1.12-8000- 23542300x8000000000000000423952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:29.696{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D030C964186290B9E595A7EB280D387,SHA256=C00AF11FE3C5B117D8F45AEA83049D93C1440EFA7D8EDD1909C27FE05082BBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:29.575{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620806F5250058E6C0BF000693B25896,SHA256=1723D6E2B4FD42ECE2D4B5F1C9DEA73B64DD93EB5B3F43F7497E5060B4B86D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:29.086{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53372-false10.0.1.12-8000- 23542300x8000000000000000369361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:30.622{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1C063E6756C4203F9626E53288EDFA,SHA256=106989E960D3F53F11639E2569C34BE29699D876E7D3FEF60EF4C07DF5B4E59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.742{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AA1A3540636D057AADBECB2B437628,SHA256=13E3337B87682B5B4C966AE38C8EF57B452F10D5E6A843DBB5694D2265A95E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000423969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.711{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000423961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.044{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:31.747{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF41A6E68769A9AF9426D98FD97AE69,SHA256=6970A411577FBC9BFC0039A219D5143C2EE8C4BC04DC303328924691ADB7FBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.756{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2692191C1E8141A435B861668DC2E0,SHA256=C379CBB91DD1C1F3AA99CED5621EA50D7F15FE73CDDA29C112823A0E15E67745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000423981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.556{8D4DD44E-3C1F-6171-1E2E-000000000502}56684704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.373{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000423972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.057{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B5ED1414D32FE51C33D7428E07D16C5,SHA256=1789A335EACC72B4A231C9F8737BA00B8997256D679026A59EBBD0025F33BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.057{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=538B2FD17CE6918716F4F1D4D676E6B5,SHA256=F76EBB3A8AD549433A4ADF051F6CD2AA78F9993781D99590F627B3FAA692C590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:32.778{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDE2A03328A2014B728B97D13E80B7E,SHA256=8631884B1128EDCA0E4AECB77F79483D5C65D8C29BD3A2367432203A0BD0DE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:32.774{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4208FA3EA9F70CA8A407B987C409B8EE,SHA256=19683D5F69D928893D69C1264FC7EDE9DE2593DBCA652CD557DA55660A113667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:32.393{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B5ED1414D32FE51C33D7428E07D16C5,SHA256=1789A335EACC72B4A231C9F8737BA00B8997256D679026A59EBBD0025F33BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:33.792{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A360097D6990590670B763D0ACB62A5B,SHA256=9558251DBD8C08FC5CB887433645EA1F89AB7428C953A67F2E854703FC00BF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:34.955{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6921F82B56A101421EDAEDE96F632D05,SHA256=B3D0C09D07243F57B81C0466025744D43EA76D81D24ADE8BA65AA6DC16F8DAD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:34.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566BFFDC85B6DC1F60B7487CC6F5E797,SHA256=E6591596848730515A9D0BE607E4DF04BA0B9BDB35BA515FB78FAAA8422DF5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:34.874{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FBFB3824BCFB617A05DF89D2076D90DE,SHA256=1C3247DDAFA84E3DFACF900A4AAE6B6621C4A7DA262030B735F8B1107955D0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:34.028{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A744BF839DCA72D63C0472ED5FB398D5,SHA256=A1595D063F8DD433E05C349BE59805E3426B345E7CB0E884BD398A1A8015374A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000423986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:34.351{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62016-false10.0.1.12-8000- 23542300x8000000000000000423989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:35.808{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017E1A0E28739C9D313EF1C1AED58BCF,SHA256=8C901B5AF7D45E7AA3BFBA3CDDECB15E468EF4554A3DBFCADF44A35CB41E65D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:35.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057E57DCD7E30C056C74265AF0DA1000,SHA256=0F77DDC0DB3D7880D9FE8C2B5AF86F087F97EFC162CC6B06C1655C377D3A79ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.416{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-44580-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.875{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390ADBFD7F12E05EAAF9E0B6F4525C5A,SHA256=428AEE76F6E5871184B31748ADE3BD855C73D84E2B4413DAC540DAB34D5D2C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:34.195{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53373-false10.0.1.12-8000- 23542300x8000000000000000369368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:36.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2290FF49C360497F8E0A8E49A8DD9B8D,SHA256=724A0BCB7C24C7933AFCD771DE14F986F4CBDBD494A5B86B4A3D5F806E5C15AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000423999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.508{8D4DD44E-3C24-6171-1F2E-000000000502}49445996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.340{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000423990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B575723F2D440AB3BFC0442DDF4BAF2,SHA256=BFCAFAED6F54CB6AE18BF1778B65B6C06DA5B2ACB5F7A157869406B0A97A3C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.890{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B173AF3E6E23DABF1E9F43EFA8C9E6,SHA256=6B7DDDC1286A8B6CD7C636B06F6359DB4905A1AEDFC822A5E5C510A7C829A1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:37.061{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502037E162CF852000F4CD1CA591316B,SHA256=D6F65DD1858913C07F78A9146635C0F0A4CCCB17BAA029B911841296B22DE831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.669{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.391{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264031BD4FE01AE09F93BF139214ECDE,SHA256=FA27FB130265672A0451CCDDB7F06F6C905054A9AAE205EA31F410753109695B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.238{8D4DD44E-3C25-6171-202E-000000000502}37164656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.008{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.905{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AC00B00DC870B669B89FCD50F582B2,SHA256=03B09EA071CC9AF0325966C4936371E16E0E6E7FBAB978F1DAD1D3D98C943694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:38.061{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26DD74D1E4FA9ECB2DA6B8616CB98B7,SHA256=551E37A6E8C29E3DAAA56C0D2C545655EE9F138FE857881611AFAF1C985F622B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.689{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34EB3C474D80D60423809C0B6D732A24,SHA256=775260A06060185B4FDD64031BABCE29B17615D002FC7C1DFD6172387EE2C3EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.505{8D4DD44E-3C26-6171-222E-000000000502}50404692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.353{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:39.919{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC4623801F530D62EC1CA9CFF98013D,SHA256=07849727A96026324866679D5FAB78E54D61DA0512BD1F1AC986BBA5AAB48A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:39.124{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967373E490A5C2D9A4FEA3E77B41763C,SHA256=F156385872F72EDA41B8B353E5FE143142E1671418DEE0EA6DF566B82CCA6068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:40.950{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FA565A73B4B48AE56C99738392DE2C,SHA256=EF27003C32F137E8D1DA0785E2C67C4800D8BA0D55936A19FC51CE354050059E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:40.210{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62017-false10.0.1.12-8000- 354300x8000000000000000369375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:39.310{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-53183-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000369374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:39.275{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53374-false10.0.1.12-8000- 23542300x8000000000000000369373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:40.124{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B32D29156D93A280DF685F75DAE685,SHA256=CAFC91F76AD5DB4D594555A6B5918AD89D44FC549091EDAC977A3CC717C4F7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:41.966{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97C30DB9543F6A3FD5C4818B1F07BA0,SHA256=17B28C4E7367C3AF4C001CFACE3ECD1CEC0F426DCC6FAA1EAFE2AD7E04C5AB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:41.139{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CD26E6C18EBF7F91137301E5E2D3A7,SHA256=CDBA65439EB23318E1E0464C74526CCC3E44D2CD3588C96C06F56810632C6B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:41.077{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB94068FBBB4EC82A68A9B88CEABBD4,SHA256=FF152C7A1F130CAC1FB9C05F8774AEC44F4BE8BD207E2A43D5D9A9EF2C877B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:41.077{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0ACEA2F7D10BDEAE820EDC0D0F7CD6F,SHA256=EFE5745C52DFDC73C568476416906A33632C1DC9AF573817C8029C7F88FD32B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:42.985{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBFD5091F8520787816A3304EA7E30F,SHA256=D1CF1D2887D3E8B09D00B2D8BB2723A7A4EEDC24AEFF5A8932536B47612E85D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:42.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D427BF9FE55A8C8DAF90480957A67F62,SHA256=748D5434DEF57357ECC1BD572FB10EBC5EAE896B19019337F43F131B49F654D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:42.229{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53375-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000369379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:40.080{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53375-false10.0.1.14-49672- 23542300x8000000000000000369381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:43.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C9B883C18475FDF7D8B9EA50E26CA5,SHA256=4EAA644033AFCBF62EB6DB8BC4E856CA91AC1436CECB52AA64889D9515FD1F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:43.999{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CFCCA7C37E93F00BCD7963A5633C18,SHA256=FB024E472AF95C60510C986A2A53183C7E7D9C3A9F0ABDA643514290C9972F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:44.733{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:44.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5DC40FD25A087023CC352AE5076A32,SHA256=E46E55F9A7170EBF1CC5C2A4B854F52BB9D6DC629B34BED252685F119387AADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:45.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C1B29A492ED2D23F2EF2E519BB8449,SHA256=C4CC05B8735500B9608302E72D38BDFA757F6EBDD0515BA8BC0D2425BE704FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:45.258{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62018-false10.0.1.12-8000- 23542300x8000000000000000424039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:45.014{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DFA70DE17846813F6E00CDD13BB57E,SHA256=07EF5D9D02B16473DBF2292975DCD5D8E7201321F94A8C2A71899E0C19691CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:46.156{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD51019547747071DCD6E4CD6875C154,SHA256=11948E23A52A06F57184ED3DFB51403B854DB7F73802D2883141F2AA74E9F591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:46.045{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDBEDE9154A394774BB3FD9767931D7,SHA256=C8FD89D97428DD7ECFE4E70F267C5699779DAE9080272FD2871143F7229449EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:44.728{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53376-false10.0.1.12-8089- 23542300x8000000000000000369388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:47.170{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9459AE481FFF8BBB09612B67EA20C988,SHA256=ACC8612861F925D45F2785F1197FD80140CB2B3047C88B801C791A7B955095AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:47.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BB3F3BBCC1831CB32DF38F20789B45,SHA256=BBC7233053C51CFF4A2BD92C7DA09402C0BB618FF44D8191BB596B97231175FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:45.228{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53377-false10.0.1.12-8000- 23542300x8000000000000000424043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:48.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD4D88C19F6B5608A4892AC9EE325CE,SHA256=395ED4CD8075573875ACB357E04ACC5652107AABD3E0D0760C9F77442C75C21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:48.170{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6616F11BEC778764764D06ACAB731678,SHA256=D5C1830F44798C5703012792A0FAA7B6C92E3D82755564D6AFEF19E3FDCD58FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:49.095{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5FBE3698FD93410EF7070DAC48DDBA,SHA256=4FB16EA32EE639084A0C57DB85203F49E9BF14348893F577E475ECB7D084FDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:49.186{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9184B9E89072CBD7187B4868A758F37,SHA256=C06D46CA6333C67E08C6F30AD6B8F29E8D483A4B79C55FC532B37AF8AD4B4A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:50.485{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1584MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:50.186{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294F929C63B040D22DDE4C55F77E5D7E,SHA256=9B9A87A3A6B4E05F24ED7E3EA78357F840791E795B2DC3A4B26BC8B3AC442576,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:50.338{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62019-false10.0.1.12-8000- 23542300x8000000000000000424045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:50.109{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F1E05C51DBF3A502464F6013D18592,SHA256=30E03EA1C8A8507894A25F3D9EF813B10AC382C60B96B33344E2F5BA6AA68AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:51.500{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1585MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:51.202{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB87D62B34E61C8B03A3702A9E33E5D2,SHA256=BC7F83C9EE5E04EDF5DBEFA7E1F9A44A18D326239AF7F00E89CB977D5759ADFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:51.140{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37F9B22631BBA1DB914250CC8821C4D,SHA256=112C60726F7FFF35990E9ABE11E1659EB93E24629F8A8800A6FA24C1E5E83E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:52.160{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3E43246C7959B9562D12CEB4394D4F,SHA256=A860052F628E558ACBF7395A76C2F9ACE2561482498C8AC110FCE183FCE546C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:51.150{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53378-false10.0.1.12-8000- 23542300x8000000000000000369395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:52.203{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5FE4D7D51082E9976743A3B7A013C6,SHA256=977193B04B8758247D57FABBA9A8FA0F73A70213EF1327AB977B82A497F9D19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:53.178{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF138C2F3D2B7FF5901368DA84E2F5A,SHA256=65491979C6A58682CE9E5288AF0286EEEE67E5744F0FAC19F62E66B5C65DDD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:53.218{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7793D72FF6C9272DB77AB271E679C1,SHA256=56A8454A97A615E1C293F1F8580084905B27E6B5C6FEFCF4B08E271A1FF9E1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:54.218{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777F618460B1D82934A795D7D4890AC9,SHA256=F8C43129F41A5C1CAA0F29324CC07C3491648EED992A7BBD927FF33FBF4632AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:54.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39F1EA94D44633A81A297ED411EB72,SHA256=61AFAAB0B8F6626DE32F8DD738055E3ECAC2BC9EAB8DD263AD24727E3BF1B399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:55.223{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D9D1B5A89E5BB60E1DD278A3DB90D,SHA256=773BE3EEE4F7768ACBC82B5BFB1E25D1E147CD42BC9CEE7605E78E832DC01CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.708{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED96779930F7E7BE45EB77EEE62D7AE,SHA256=5C6D7A5972ECCC78B5E58189E2DAA0BE0A3EB977BEC8DA211F863C8528DA3A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.708{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F31314AB53F863D1D462ADBF0BCDE1AD,SHA256=83DBA8491DA2EABEE1FAB0CE8D0C2A881D7FEAF72D766F02CD6D3F930B35820C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.414{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62020-false10.0.1.12-8000- 23542300x8000000000000000424051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.224{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F830D7FC77BD5EE5AB4A4CAE12A0AD94,SHA256=F03DE7AD6DCE77CDC0EC31B913DB9FF04CE8783C3B27134AE7BCCAFBB4795440,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:56.643{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-34931-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:56.238{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32330D4E7C8DB608EEF7A7750CCA5DF3,SHA256=FB67F4A4CBC534D525EE7C1C601885CA45A62ED5BACCAF7D7AB329CEA7FA4A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.223{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C7923C82C5052B3F2BE9D4D20660E4,SHA256=4E62C8852888839EFD5816176B461492776B1D25E173A46AB8215E57376E7A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:57.574{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:57.274{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59ECBE076752C3E968416B4E54AB9B25,SHA256=75039F7C299DE0DE7D7F500ECA02640E2EF5FBD7F446904DF9D275B37BAF7FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:57.833{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7CAE926A2DA18ADF108979E3DF8353,SHA256=FD5B26B7F6F2C538C80ECB04ADD4FE29BFBDADEE989C7737EE1DD10108A98A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:57.833{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB94068FBBB4EC82A68A9B88CEABBD4,SHA256=FF152C7A1F130CAC1FB9C05F8774AEC44F4BE8BD207E2A43D5D9A9EF2C877B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:57.239{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A427B757661DD7F385C8E741E1DD8F4C,SHA256=CE78C45F078ED5A7D4CFDB28F4D4657F5AFCC125DCD4A6F151997B63CFB3E659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:58.304{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A93B894FCF1D48B35A8A4185A42296,SHA256=7B93E3E952E7123E81892396EDCCA9CF47C25EE1E14CF63F516DE81E14824407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.681{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-41122-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000369405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.234{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53379-false10.0.1.12-8000- 23542300x8000000000000000369404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:58.239{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020D7797F1D8F8DD04452A83FF3405B0,SHA256=6E78CAD6172C1D8DEADB53A74305CA48C31D4C60211DAAAD0B97787D90160E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:59.710{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62021-false10.0.1.12-8089- 354300x8000000000000000424061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:58.977{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53380-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:59.335{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829812AF3C3F17DB605CBC5E6567A93A,SHA256=F270BF05E475CFF6B5971D1F0F00902FC9FDF156751C6B6F0D6B82E194DA609A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.828{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53380-false10.0.1.14-49672- 23542300x8000000000000000369407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:59.254{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96521B1EA53DA253EBC57F90E2EB6915,SHA256=49567266EE22A3B7D6B199395CF853B9257E2FF8BEE472F60943B644600C076D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:00.270{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1B11A82F2B767DAE73BEB9D80569DD,SHA256=ADD303600C32BAED89EBA1A232E4CB535BA660CF5C9794C140FBF73A52484FD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:01.277{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62022-false10.0.1.12-8000- 23542300x8000000000000000424063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:00.387{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311D567A12C9A8A77AAA1E89917CA66C,SHA256=A9C0E525DAE16DFF3DFE27C3CBDC0CCB6CDAB7FE0788C0E1ED1DB4201721FAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:01.402{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F28555831884ED31F820218ADC5845,SHA256=CCB7FB0A9493BE9C99D22C9E5F4B953A95659877B4B4347777247F8A1D853785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:01.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C17EC1605BC1F2D9C8B43996E2F1E,SHA256=77056DDA591D18FDD904C8D0868884254FA498F7441F97C6D094BA3EFFAC7C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:02.432{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64917E1394A9CDD4C4838DB27C14CFF1,SHA256=9311E13AE858CF574E1856CE39F1ECADCBE676D051E40AC3FA6707EA3DF6A8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:02.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE224BF9C202FED8571862184D27497E,SHA256=6D07EE5C72BF2B1BC39020D23469E1CAFFFD6751A97C8EB420E13DC1CA9B0D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:03.449{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4AD985E982C1BA689DE00BB80C41F,SHA256=53D1EAF4C049C9C7F4E8196FC686E900443A229D01DD0292BA7391EC5FF2C666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:02.124{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53381-false10.0.1.12-8000- 23542300x8000000000000000369412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:03.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC73BF441B92ABE405583470F06F8BE3,SHA256=4D9BA73231F974CD20555D1882EE41726F5B884410044BAE3EF362F5FF7ED3F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.473{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62023-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.473{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62023-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000424070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:04.467{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA664AD8CB1D3CFEF8C2D3474D389254,SHA256=E9DC115D2FCE8A4E6DF1E38DCFBC9AEA2C2BD9865FF427639C9BB6B5D4BECD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:04.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CB6A53247388441CC40B38574680B7,SHA256=92B7F5DFEFAA2CE5E94AC3C35592BBDD6F6002471F00615D5C16AA8E458EA626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:04.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E44BEB5D093EAE99BE3D392C03C265E1,SHA256=B107B28D4E580D141C416FEE77B63D3901D3C5DE116D810298CF5FD898B29284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:04.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED96779930F7E7BE45EB77EEE62D7AE,SHA256=5C6D7A5972ECCC78B5E58189E2DAA0BE0A3EB977BEC8DA211F863C8528DA3A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8150880C5BF660E5533C7189D8F12C3A,SHA256=70DD3F96CFEEB19BE5BD29EEFCD9995FDAB399951A0165D6FDE86F9BBD3AB4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:05.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D333E50DE01A2F8BD63D6DA640A226C,SHA256=83CE1A10FFA765638C4A4A0DE294E4FA52CEC8C169E923391DDEC7A8820225BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.032{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1584MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:06.307{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62024-false10.0.1.12-8000- 23542300x8000000000000000424076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:06.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770703B9273561A5A352F31F53DC7E95,SHA256=226729357992875749903E060B3890982B70A6E73B0875F3A528EC24005B53BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:06.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80552D1D87F94C7CFFB5C973E19C8B7,SHA256=0429F9DAB6F157C3F00135DAD665AE9B33DCFB6BBFD64E8DF51E540947DA5292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:06.045{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1585MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:07.512{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF66CCBF7525307A8490BEF0502F0C4B,SHA256=E577BE37481194C230EF13D906705EB85F729A6B2E833FD6DC6041B768823A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:07.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CE761FAE1986BC8ED5CB2D7E9D3C0F,SHA256=55B3E043AA1FD46C9A7B8F894453AD8922F75857DD2DF5EC0D548BEF18482574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:08.546{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DDDC978D52FEAFCE85A228E9FE175E,SHA256=470068B3B0BEF73CA4460C257C71DB30A15A414FE1AF43EC739788C4CDE3817C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:08.319{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776C92E3C0AB6635918E78C88E8DD4C2,SHA256=43200ADC41564FD9C0A5E6E406C665232FA9DC8792C9065B71D3B78A72726F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:09.564{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40106A9999E98855DD4061D6A3AA7BF9,SHA256=A9A0265623B7188D69BC72D9D5A43F4BABCA353664F422E71FAF4ED22F0FF41C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:08.062{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53382-false10.0.1.12-8000- 23542300x8000000000000000369419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:09.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358C69C64F6D803491E21A5537AE187F,SHA256=D82716255A234E60BDB1D219E60971DEF285EF2ACF8107207884F67C297308BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:10.579{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A99B4E5B2ABBC538CAECE0359741FE2,SHA256=9C46BBAE2493BDA368DF2DE72F677EC7DCDEEA63A8710178313B954C8AE6CF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:10.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633FCDB6992C0F54E41FC849BFF36637,SHA256=1993FFCC542CD052F542F2C6D36798B352F3B1EB4586088D7DCA4CD958E9E866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:11.597{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD1F928729F15DA5F6A8FD8CF259D00,SHA256=5DD50A3A10FA0C85213A7751CA54B88E79A79191EDA1C121100FBD15B52208EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:11.348{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C763E21F056246CC3F36907CA275C11,SHA256=D0F476A57915BC7696E6CB6624A330694B35FA3523D28EF669C98978BAE461B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:11.401{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62025-false10.0.1.12-8000- 23542300x8000000000000000424087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:12.927{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57055092FB2C06A232BE954584F05DF6,SHA256=23019654F09266BEA35217A8F5EA2CC92B971F96E5B48CC5982B67BA548E0B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:12.927{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E44BEB5D093EAE99BE3D392C03C265E1,SHA256=B107B28D4E580D141C416FEE77B63D3901D3C5DE116D810298CF5FD898B29284,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:13.922{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-21438-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:12.612{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4229D7185125B8780900A5464BA74EB0,SHA256=5280466D1C783391D88B3D1C0B5E904914A4656DAFFC89F10E16EDD9AE3E766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:12.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1398ABCD823D16C6508427019AAC0B36,SHA256=8BD0D8719B5096F035E2A7F9114A2E2FF3726287F6B045924C5C300C53EFB52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:13.646{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A17024D4C5D6E3A5B1BB2481AE8E627,SHA256=A87B9A6DD4CCB5E8E7ACBA4FDA5ABEE24C2B4A70F2BBED590B3ECAE81DAA6482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:13.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA84E9C0F2C6EBADF53B66DCEEE7BDA3,SHA256=39CF11CF4420732814D2DBB85873F1EEA8E379A75482E5D4707E1A1962493798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:14.665{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE3695D7DB056636BC05831157CF7AB,SHA256=51ED3FD0FA45FD8080C0A6727893AE65B1CE80437D73F8653B2866AB5DA77D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:14.379{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D30592DFC0CF88E6638C4C4BAB0D1E,SHA256=0D40A85AE3A4B5D0DA574B3A590D2C6E6A93899EFE33D21E1DB5B7C30F3BFE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:15.680{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3E0680E069905DDE8DDEF7BC2A86EF,SHA256=CCCC6FB70050E5E7AC3FECC9EE413E4C942ECADCE99624766DC911D45DD6C78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:15.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1A1428F887BC5181C46772F924E7E9,SHA256=A12EBC0839516F2EC682842E1B8F7F4DCAE7949C5A5C3FD31E1F77D8C1E9BAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:13.203{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53383-false10.0.1.12-8000- 23542300x8000000000000000424091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:16.695{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98E584F2CDEFAB27BE095871F36C00,SHA256=FDB65C3DF4B800C14FECD6C68F9652679FCA05C8A89EF75576072EC1E02385ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.819{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED841171C8CD994BBC5492219049914D,SHA256=4055F350FB183B7CF106807AB271063D93136E64344CE7E8ED5534E3F6076866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.130{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3374D0B4596D9CE2F12DECBD21F52F33,SHA256=91C6E398CE7ED93B321C1A260DD8C1481D06857761DE673F2A0E28E5028B3D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.130{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7CAE926A2DA18ADF108979E3DF8353,SHA256=FD5B26B7F6F2C538C80ECB04ADD4FE29BFBDADEE989C7737EE1DD10108A98A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:17.725{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E340DE948CAC55240AC93BA709806393,SHA256=E3648CE3870A59C45ED7FA7467ECBB881B87AA44F82EC809E865FE0D5BC1F7A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.552{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107F42036DC1A2BAC3A84EA0862AF9D4,SHA256=D1BD7BCBA669596A37C9BFCF4C58980C8C3A2D78C2E26C73C400D4AD3DFD88E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:15.150{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53384-false10.0.1.14-49672- 354300x8000000000000000369457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:14.954{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-30144-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000424093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:17.300{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53384-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000424092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:17.254{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62026-false10.0.1.12-8000- 10341000x8000000000000000369456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.319{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:18.761{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5C5E27EC479C6E544F2E9195F316AF,SHA256=62480D7FE82779D237FA8AA51FC770646CEB936FFB782AE4B150F3CCF4CD2650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:18.443{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6700137F1A2710A21192FC033AC05FE,SHA256=B2DF9F108EB1740B0DD966B6C9C169DBA845000EFBC9FDD268246547C6A2A0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:18.177{6F8252D3-3C4D-6171-2D2D-000000000602}34602840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:18.005{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3374D0B4596D9CE2F12DECBD21F52F33,SHA256=91C6E398CE7ED93B321C1A260DD8C1481D06857761DE673F2A0E28E5028B3D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:19.776{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E0DE433A2EFC43BFABE339EF049648,SHA256=BC740ABDFE60502E5733AF2A4E712988129E64B3305F43E4941B76F706A1E480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:19.521{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8311CEBF19FD1C71CAF1315B81AB7CAB,SHA256=D331C97522F0D0125B44ADE2888DA7F76D3C3431570007C0E74D2E1EA09AAD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:20.791{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F179BC695EDE9A172F43BA58C9DE5C1B,SHA256=32958AF43A04D38390F9E5C605FA85E0505A32E5839FFED6F5D51FBDF8B91169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:20.568{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BA66CC3BC59B6D89174DE13FACAA6E,SHA256=7493C8D39999FF78A78EAA2D08329CF8C2E1AEF05A28AB5A95A6672D22B32093,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:19.110{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53385-false10.0.1.12-8000- 23542300x8000000000000000369479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:21.802{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD97EEFFD0B2CFE1694F18ED9EB6489,SHA256=25399C0310B9AE08454161E853971E9CA2FEFD56CEC1FF44EEC1B1E85522EF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:21.806{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78633AD87662ACB58AC0398779C09C29,SHA256=284AC902F32999290C06A94F1231E72293D4F70DABE7D3C9B11BC76CCF20C7E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.896{6F8252D3-3C52-6171-2F2D-000000000602}5162552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:22.839{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8100DB981147FF3A84D45B814F00C142,SHA256=69738A2EE564C12B0B74DF37A8D3DF0F5FE98A4CACB35186280A7FCF4DDC2964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.662{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.380{6F8252D3-3C52-6171-2E2D-000000000602}27641640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.162{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:22.324{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62027-false10.0.1.12-8000- 23542300x8000000000000000369525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADBD0DC87B5CDC4AC5BD35280F68A1D,SHA256=2239F1B8516EF73A67C89195A2074EE578000D113E5BFF2E508692CC7C14853E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:23.888{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDBACC7735B3BF65804EADCA3E7EE79,SHA256=15FE3B4F28AC5F9040CAB16F43626B55EBF5BFACA4C52EF28DDC5CC69BA40B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.396{6F8252D3-3C53-6171-302D-000000000602}16923864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.177{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC4559A1A35C32A0747395EB65121FF,SHA256=C6C556E639099B5F99CDA424A1DF26C6E56CF553FBCBE569556121DA6E673E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44A3F5E36D5345B2C0B9ED18A68BEE3,SHA256=7875FDEC67150CD58586D26D4A1568BE47F2A544379C85C5134247A633A3675E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.162{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.099{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA81BEE8CF02C0E12F974B2CC2EEAD34,SHA256=FA73AA287994AA0B1AA5F0D74DC40A7BB2E9F7C23B1244DC9C9C55DE3B193C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162EA136DDCBEF2CF523A2E9ADBEE314,SHA256=C7078C97A50CF9DC0904E2E6D6A0B92BAE5E3E71EC3502B598AE7D53D5B01CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:24.903{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207B8173D504734625EA42B70221BD9B,SHA256=F8A5CEA0B53D1001256DF26D0382D8E34CC5809D57E221ACF15B1DBFFEB5FA63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.304{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.161{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC4559A1A35C32A0747395EB65121FF,SHA256=C6C556E639099B5F99CDA424A1DF26C6E56CF553FBCBE569556121DA6E673E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:25.974{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4798F6B7441BB7B5095B67871FACD390,SHA256=188FA8DE8CA6B5CF1E00A547C73050F7DF5D9EEB9DB43D86B6D89616256ADB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:25.935{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41870C9D9ED9547CB87CF74DE15F75EE,SHA256=352D726BE6C0E6C2B9CA3C1A535EF6D04504910D268B730D93F22542961120E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.235{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53386-false10.0.1.12-8000- 23542300x8000000000000000369541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:25.302{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97580C75BF7ADA62EBA673E7DA1302FC,SHA256=A40040942EDCE97553CD5F52342573286C3F556165F60CE401C2FC06B9BD7405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:26.974{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ED4AAB7BEAEDD7746EB912EB6BB886,SHA256=C096C5C2AAAF9A65A9EB4834A27F8447A1846562DBCFF95A799571DB9A40CC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:26.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C2ED456F0FDA428CFB58B05E1C0459,SHA256=B9625793D0464FBA0B7C111AADFE49262DE2956D495872C07E92F4F4FA3B48F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:27.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3997A97D48B99876C80A520DE6FDF53,SHA256=3397479BCD074CBF999705B7C00E7564D762E8CD98D4BF5734B53BA56509C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:27.984{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81DB26C5B68BBF074E69C3C190CDEED,SHA256=9294339814E84FC09116C200476E37CD91A6F05FA65D7469619C2AED406D376A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:27.414{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62028-false10.0.1.12-8000- 23542300x8000000000000000369546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:28.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C4BC649804857C208E93A8576A53FC,SHA256=82432332B359354E067E13D473474872C67844DBBFE3692D1186B00C58C74EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:28.998{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EA1C7A558F01CAE017D37C680455E6,SHA256=2E7BD77F779743B44907082F100C107315E9B1C9DE4C17D18701899A3EDA71F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:30.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B74944A6E72D0477B376BE3405B478,SHA256=06C4034FA0C420CBC5034313519D06E431A5CE98D495204AB8D142848C2D9EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.905{8D4DD44E-3C5A-6171-242E-000000000502}15403344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.722{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.051{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE890A3AC8EBB1197E503A947604C7AA,SHA256=F989CF9EB9A1F285E54A978049725A6675E776773C4CDA9F7794AB1C47629CAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:30.141{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53387-false10.0.1.12-8000- 23542300x8000000000000000369548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:31.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31814842B5C0F3EFDC28F0415172878B,SHA256=6BFE9327F0D41CF9EF77DCB45BC2CC1945C2E8E5FD8D83B255EE9678166BBBF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.390{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:32.033{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-10778-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.058{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5348BD35AE0CA0415CBAF499D7858E03,SHA256=D623ED507CC91ED6C29C9EED9E626D11F0AB55D7C40615DE0D211EB2409C3765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.058{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A17265B81A0841C44E9F102834B833E6,SHA256=EAE620EC3E979773EE0E2D42529078C956896B353D3400EAE95DE5261FC67A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.058{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57055092FB2C06A232BE954584F05DF6,SHA256=23019654F09266BEA35217A8F5EA2CC92B971F96E5B48CC5982B67BA548E0B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:32.420{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A17265B81A0841C44E9F102834B833E6,SHA256=EAE620EC3E979773EE0E2D42529078C956896B353D3400EAE95DE5261FC67A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:32.073{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E499B59265B3924A0BFF541DC9438FF,SHA256=F1AAEC12ACF5AB4301B21B0D0F538FD7DD7864EC7C922D1672E1153E263CA9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:32.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD28D8627A67B1179E28003318B5C28,SHA256=9CA3D1B57F5F753CEA136A6B582C3F67321BD2B48E83CCFCAA2F0043197C1707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:32.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CDD029F019D7926AC8E1185A24DC6B1,SHA256=B37EB947AFE91D082E619540F7F350131FC9ADD3625AA7DE779E6032CE2EE7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:32.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F40B68EA2042BBB4FE81B23E299DA90,SHA256=24EB3F30846F7A06ADF4630625715D2AAD3ADF4AF887826BEE5C641B9844F601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:33.068{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7B03988DC6F817591A8543424E93A7,SHA256=785183E7F2C2FC1AA76CC02309002BC156ED71C4F33560C3BEE4BF41A018C8BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:34.138{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53388-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000424141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:33.279{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62029-false10.0.1.12-8000- 23542300x8000000000000000424140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:33.088{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CCD7E8125F30F5B0A027977B440A0D,SHA256=41B0682DDDD6E5103BFE58E23EB55CE27DC7F3D2674B2D53C1EE9677FDE6ADB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:34.882{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=413CC045CE745EF223741AAAB97237AC,SHA256=2DD6EB1685FC3928AE40F180290928ADE859489074F09B31D4346CE3CD43FC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:34.224{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369D3EE17DDB0DC04E27016D65945839,SHA256=3F6694984F3C72D478AF6FCED7D94E2AB28574FA208C3D2962FF4279D6D3629E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:34.955{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F51C983763400985D76355859643E1A9,SHA256=F800D7083574514A4531E66E015A67DBAA6DCEBC3C3DC55F53A5329801BD989B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:34.102{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7578577A6D4641439CFA3FA1D35C4F,SHA256=D901C7FE3F5F17D8D634222257573C70793E4AE42D2DA59567C21AB80E0090EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:31.988{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53388-false10.0.1.14-49672- 354300x8000000000000000369554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:31.892{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-15363-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:35.460{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E74C683493FD04E58980D5F4032409B,SHA256=A8A56BFDFFFCD557601233598540254BC6FD9CD56D8027A8C36254E06B23069C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:35.117{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0605B2A3AC9BC92BCFD9B6DCB4C453,SHA256=37F90279CA4726A61AE0099EC97211E7B38DD7E4F01C9964CFB670EE44604BDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.932{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.485{8D4DD44E-3C60-6171-262E-000000000502}50166124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.333{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.154{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED60CC0553AD24E0FBF82A239112819,SHA256=6D5E3EFCC1DE9718ECBD034DD9E39D4ED822267A4BB4BEF4AE9D7477D51E7E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:36.476{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09B5AC6EC83575FC154851C1ED10007,SHA256=5C147CBB2A77357F33565F67E9622304B7D06567E6C79024F11BFB8A070EB1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:37.492{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23F5760EF489F82C2A8A0ACA465CCFC,SHA256=448C2958AFEF62D25B5C65D55579AD90C3E9FBE4DF2F380146CB36BB275BBB41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.784{8D4DD44E-3C61-6171-282E-000000000502}3362200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.616{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.360{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62030-false10.0.1.12-8000- 23542300x8000000000000000424166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.353{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CE28E5185DEEDD1A089E17AB6BC6ED,SHA256=5AEAD037BFC0F4A1BD24F15B9B53DDB34396C2686417D70A8FDD289E8F663AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.184{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7A19AC6140E64467D1B1CFAD05FF40,SHA256=7A8F83F2A5E118FFAA4266739500559EA14DDD109C524F75E44F746D89780410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.100{8D4DD44E-3C60-6171-272E-000000000502}59964172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000369560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:36.034{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53389-false10.0.1.12-8000- 23542300x8000000000000000369562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:38.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574DB6444955341EB0273859755F0AB0,SHA256=B7AEF7E0747C46615A1C374A15ADC674A05B5C887E70ECF2C34CC4EEE8C618DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.621{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E9D46BD27183956544B66CAA7C197AC,SHA256=F43D6FF72EC19554722B1C7F3A662EDA525880B09690D2D4B634807DBC146F9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.259{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.188{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD470D3B3E9B985E00F5BB940CBCF13B,SHA256=083ADA7E6C2061E65152642B4E2C97DA77B33430B25308F7D91831299C78CAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:39.189{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586A2EE0937982315FA5C6A1B87DEC00,SHA256=8B6FF5AA53523E58C86829F680E10951544C2BFABB499A542ADA72EFEB7E1BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:39.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1633919D2FDDFA0C92B5DE105C1E6FA,SHA256=56A83472CA23CA7A5F9D6AE3339E0AFB8C485806B235F0D8BE6901294900A91D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:41.033{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-61553-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:40.204{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADDECE5C47E4F83F68429D77B4FCD19,SHA256=F69FCF754C888F6720E68D4A1DF75283A0D59DDFADE4FC456B7AF9F3E842522C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:40.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5AAA8309112BB0C6C355292CA7F52E,SHA256=2FA0131DD8CB9CB5C83D0D409F8742BCE929AC0758386C2A1D7F99125AF42A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:41.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369D48142C02BCF094E3DD6BB8570A00,SHA256=CD7425313E4C730F2D1EF48BA1BE3FCAD76DC02502B3CFB16E124E0F2820BD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:41.318{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA684CF972CCE5BFC332F90766847D20,SHA256=459661396BFB814083D0A3CF9699001993EAEE4BF118EC3083272A433B6DE10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:41.255{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E7808C6782651A3CC8E65853849B5B,SHA256=3F19220223BCBFFBDBD1CFA97950D839C4EDB8C9AD305A5A32A9BE9A21C7EEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:41.112{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53390-false10.0.1.12-8000- 23542300x8000000000000000369566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:42.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D22AC63D582712CB08E24F637D9B86F,SHA256=C24C8DD7994049A361349DF6AA6529514BE3F9CB2C4E89E9A10756BE7320967E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:42.647{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local65507- 23542300x8000000000000000424192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:42.286{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC417F830D94A6470181AF1EADD74C7B,SHA256=1D94DB840938FBC5FA2F9A8A4C309842881F5EBC0E60CDC8FD3354C839C04288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:43.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C44AB7F07AA28F55B6FE9A3FFB25B76,SHA256=D83E78CABFF0ADCFEF53C790EC4BD23EF04EB7B02727E6D69DA7157E139EE971,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:44.245{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62031-false10.0.1.12-8000- 23542300x8000000000000000424194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:43.301{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2B912038E5FCBE646155F488BA0270,SHA256=44AC59BEB9226AE026A437B8F8EBEAB7711A01CB8E64CE199910E1932F141B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:44.757{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:44.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642D0924B63A7695B28988B3F64D51BB,SHA256=1C901F5DB8C5D73941255EE172C2E77EEB258390C45EAC1973CCE446FE504D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:44.316{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6391AEF08155C28E858CB2781EAA6B57,SHA256=3CC3B16636A2F9FD5177AF3354C6881EA3C73C77CA3E49E75E3F1BA4258314CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:45.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17D55CF49DEE78AF76A932CF191AE1C,SHA256=7F0436A415F07AB81F4161EC0EB37082E4B38C396666C254D8A31054F03EDC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:45.317{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90F58954757045D3009984FFB1A5581,SHA256=FC080A6561E4829B74E6E35A8BE6C8F834983EC3902CBE60A8DF20AB3559F62B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:44.753{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53391-false10.0.1.12-8089- 23542300x8000000000000000369572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:46.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78295B1B8AE7A32327869A53D7E71206,SHA256=43A3176178BFDEA6C81D88C248DF216E51AFC7AA9F3CEF94B84CABC1003760C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:46.336{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95402B291C2E8F36A405E246FAEF8A7,SHA256=90AADA50A0E27E19C6B93D9522F8BE5EAC74DBCDB5BFFF5E6A1D909271F3D1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:47.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF794B03233C3AFA9EA8861EF7B79261,SHA256=96B005F4D11C5197E22D44EAD5B8407BA4AC575FEF7998C8EBB315E7B9A6F946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:47.354{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1ECA63D24687070D97C5F3517BD688,SHA256=E2E7C38E94D586E6B865115DC6D7CD0C9F657FFE28147865B2C8D6DA416A3FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:48.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6866A19F18ABCF4B0AF2D4419390CB,SHA256=A4E22D674EAC43B977F6A819FD417551BA6BB9D0D4873E8C8B9EA59245D20815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:48.384{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE173E16B88CF8FF072915CC99D3840,SHA256=6D175BD86DFF88478F03766DC5772CC11B3AE472EA53587A46FC51905551F38D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:46.174{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53392-false10.0.1.12-8000- 23542300x8000000000000000424201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:48.353{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E99426DDD238ECE6A5A5A3535BA9ADE,SHA256=22F58C78E810E5C679979A8426D3588CD1257B8561E030C0B9E9CE677042D68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:48.353{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B192E0A4CE99529B21C9CB5F6A7D5BB8,SHA256=3936947E8809E8B5749C5E6EDB98D2B34ECAE1FD5C3A07F5CAF53D1BC8A73EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:49.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240EA41E10A88901BE1218C6A135F697,SHA256=A2ADE5070528C649DFC35C501BC6E8E185A3D3595BF60D6A2FB0006F910C8D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:49.408{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-54863-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 354300x8000000000000000424204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:49.314{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62032-false10.0.1.12-8000- 23542300x8000000000000000424203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:49.399{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917F88CB3EFB9C1771B6EE6C44959943,SHA256=7A61B3C99998C9B6E634F96D803532019FD827519DA6621CC49FB8420B45179C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:50.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1925266B158527736EF1716AC95EF39E,SHA256=732BE0A157DCE52F252D93C4A6E6231F401511D1D61F6B31252A2D62AC3E236D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:50.435{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5F04ADCE1D5FFD6850BBA543D442E4,SHA256=CE5375CCA0A10F8C7BF0A4945A40A876BA2363FA16AC56F808A74890EA340AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:51.525{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFE7A98F85C0863C1DF775203449571,SHA256=50A7ECCF44A51D1657B1073521B43DAEFE50B8B14088996B9ACE7B4650884694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:51.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBE4DCB79C4B8E8D45C8ACF407A4BD2,SHA256=C1DCB977BB9BED942E3309D9A752BDB7D762E79E2015A826ED73ED5BA7AD0E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.681{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED0EB292F3B70DA07485BBD104B52C,SHA256=DDD48A3691DF344F9D46E6288BF3A9A4FAAC16334540B4BEAA96EFAFCAA72A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:52.465{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EEECB53445EAAAFA82F4B1C146C0CB,SHA256=BDD7C3404A257C284D39C888FC1DF508D6F8FD3CFB2D8F16BD4EB5A0A8E09F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.027{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1585MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:52.149{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000369586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.695{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDF5551A185860595EEC40F0E4DCA93,SHA256=05C3BFAD622BCDE5470E5746D6A868006F64CB0AFCB3B354AEA2EB73313EA092,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.312{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62035-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000424216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.312{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62035-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000424215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.221{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local62034-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000424214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.221{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62034-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000424213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.212{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62033-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000424212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.212{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62033-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000424211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:53.511{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01623AD5EA13522029B9C8C8F6077220,SHA256=A8EAED04A7E0B3A958857F9AB18C9C48CF4DB017FB8BEBC8BCA48EF86787C2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.680{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64096C90195E967CF84FC06D41A7A380,SHA256=FDF4879D8F230F4BEC6E3EB8A4557AA70DAF6800316F9B7AC6AAF5B78B54207B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.680{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD28D8627A67B1179E28003318B5C28,SHA256=9CA3D1B57F5F753CEA136A6B582C3F67321BD2B48E83CCFCAA2F0043197C1707,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:51.237{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53393-false10.0.1.12-8000- 23542300x8000000000000000369582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.040{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1586MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:53.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E99426DDD238ECE6A5A5A3535BA9ADE,SHA256=22F58C78E810E5C679979A8426D3588CD1257B8561E030C0B9E9CE677042D68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:54.837{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435CC24B5EE801CEDE9588604A7C7F08,SHA256=A9EA57BE032058FE45B120EA6F7776C2310167996E61C2F5DB73E5D6270F7757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.828{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53394-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000424219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.409{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62036-false10.0.1.12-8000- 23542300x8000000000000000424218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.531{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF9F5A5F9E9CA9AA2B83D36A9895309,SHA256=A6F70C3E9FAC2F4F93BB0187BD363983DC66CEFDD526370A29885C898719C8B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.678{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53394-false10.0.1.14-49672- 354300x8000000000000000369587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.576{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-8295-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:55.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F5218904F25BEE61B0360375AEAB8E,SHA256=50C1DE3A027DB7C23E908246FA763CBA5DB301EDA34EF9F653DC479EA622AE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:55.609{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5A0DD46460C280AB2D9E9039669372,SHA256=2F9D0CD786D45E1F212172AC880F3599F7C2FA90A41B7E3A65CD32BDD78C7E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:56.962{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D58ADA6F928B82A1E4185C584DB381B,SHA256=8AE37E527A179D626C4C18E79DCA37E15953BD326D441E091E32BC229521EC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:56.626{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE8C96824B9AF426EEA9293CF27AED7,SHA256=3314245BB695912ECACDB75C36B53AB2093868B4BA464168DE08FCFBF04822A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:57.978{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B544CCEDCCC949D0990892340C2700B6,SHA256=17E405AD5B420811100A9F4BD8B3C8150E411F8786B9897AA23FE47ECA72E7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:57.645{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF8273449484FB3406A202E5D8C29A2,SHA256=9F818F85787157CAB72CB0FEAB2C54886A9B683A671BAD41D5AEE09F936CCD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:57.592{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:58.676{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCAC6D910431EA34E1DA5C44B360CE2,SHA256=0C22C3C7C366E860E83756B3A49753A6A64FEE018A0FCF5CC9B4D0831D6FF522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:57.114{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53395-false10.0.1.12-8000- 354300x8000000000000000424228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:00.283{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62038-false10.0.1.12-8000- 354300x8000000000000000424227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:59.736{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62037-false10.0.1.12-8089- 23542300x8000000000000000424226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:59.691{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA14E5F617B2D1918090AD351849CD3,SHA256=FD74F124C4AD8EF1E78EFCF40527B2C5A8FEB9EAD884BCDED152BC501B2A6C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:59.087{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C3061FC81C58101FEF53D6728C904D,SHA256=6DCACA5EDF9F35EE9DEE88ECEC84D3F5EC8F5425C227211336977282E7481A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:00.705{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D26364F492B8F9274B2A2816FE4D9C,SHA256=CD6A05047742B896C64CF57513208EA3EB80FF3EFD790BF0AF9A4E5D0597E19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:00.103{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F41FF4635C22B2478446F84AEB1AD66,SHA256=1B035D8119AC4D58EDB97B17CAA5FA5304808DBC812A5D3AFE50D02983E0148C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:01.726{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A041AF25072A79FD9423131546A49351,SHA256=A49A50F145DAC5C044F9FEFAC72AAA68CC788EB2C1D71E923E001FB479BFAA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:01.150{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50309B346599AD311E70E98F8946E04,SHA256=03BE81D913C3BF178100EC33398E899C3D858C40E04D450FD71CB4785CB43768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:02.740{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E45B0C78CC7B77034A974C8A7ACA546,SHA256=6DC3B78C4E6951CC70532639450B2168E84430542BAF4AF044C92E0382BB633E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:02.150{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A49F51997260309345169903A32AC0,SHA256=AEB23B99B1F600774073D0E4E197684D9D8C053AFDD9F5C5E924695F34F048C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:03.902{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4DCD814D67B0AEBB65968C13D158740,SHA256=994114502E94CA687C2CFE8D7DFDC2E961CDBA401DF8F3F75CA73345B4F9B103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:03.902{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60935E3D16ED5EA815779813DE04F33F,SHA256=2A102F2D2F39B08A8B711517C5BE4804B9107B80CE47D7F792EB4311DBF6F995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:03.755{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6E6D18CF432998282E22891D8D231B,SHA256=49751C605F9D31778FBF36BC4E42F602D9C81C3CE9A47B5DA604764E130558BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:03.384{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F8281169797766EC2903A8C287CDA0,SHA256=373BF7EF92666E74A1465BC2CD7DF9834F2174332513E1D45767D97AE11DDEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:04.770{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6B5DB52F7C5DAD2A523CC6E938A197,SHA256=5293571B62325DD6D795A5E0BB394246E7419C716D93658CC9471C1D9E76C5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:04.431{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0954DCDC499B08122205EBCDF63F1AD,SHA256=EFD21F0A97564CE5A60DFAAEA365D0D90BD9CD4377BB548589A067700797A36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:02.208{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53396-false10.0.1.12-8000- 23542300x8000000000000000424239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.822{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86782F4437BB48F6746F3AF6038A57B2,SHA256=7A0645F5EC78D6946DF94D73E6EA004181DFCE2C4DE9ABDEA03B30EB529EB012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:05.509{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55700927F8A0EE7065B3C7DC02351E6C,SHA256=7558D558BB9177EF96DC0FB9F72E1CE24B92AE0DDBC48F0ADAB57F0FF170F9DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.478{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62040-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.478{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62040-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.378{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62039-false10.0.1.12-8000- 23542300x8000000000000000424241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:06.837{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1605B5AB2038A21389EF40E273638789,SHA256=AC3142EDAD6B8779A3465A7B16AE3D2EF2A8AD02FC531651BF1FA38B23AC0896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:06.572{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D374C96DAD536408EA7B300F22AE62,SHA256=BC875C98E2DF5ED2791B8F0AB94F3D668B6746267FEBFBA3FCBD41CFC071CB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:06.555{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1585MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:07.852{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E61D236BE0D5BCD4BE365AC0EB335A,SHA256=CA8AC41EF7248A0771367AF20BA226A59E1E25AF093041690CABFCC750587DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:07.572{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C781778666686E91BA79812574DB1F9,SHA256=560FB9AE99A0EFDD3EE69F0BAA71D0AD9E5BD580630FD3CA656D01DE1C3BDD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:07.569{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1586MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:08.882{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA39C0238A149116134B75DEFCCCEC02,SHA256=CADCDEB7E9C80AEC4E745A3721EF72C83D0EA86D0D97D3F2D85CCC45438FB2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.884{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4207C11849EF0E4C7099EC7922577A,SHA256=BD4B8952F44AFC3FA479E33F939F46232912B618410A914292A766490A52C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.884{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64096C90195E967CF84FC06D41A7A380,SHA256=FDF4879D8F230F4BEC6E3EB8A4557AA70DAF6800316F9B7AC6AAF5B78B54207B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.603{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4572425E11A399B79906CC8F1E79947B,SHA256=88D62DF36438AD8C7D18C8CA28A3F435A51E28C88A4697448FC976ACC46A2E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:08.867{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4DCD814D67B0AEBB65968C13D158740,SHA256=994114502E94CA687C2CFE8D7DFDC2E961CDBA401DF8F3F75CA73345B4F9B103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:09.897{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3504F7DED302388C88E043D0A9D359B5,SHA256=6C43ED58549D5D6075B1D227B74627E03F5AEB11B3C207559B1EFB1E08495F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:09.603{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DA87E7468EA26AFD6BD3F818B1A31,SHA256=11337CC44E06DD7D75ADBEA2216361142834CB257D0715B72564877B4609E567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:09.922{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-48331-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 354300x8000000000000000369608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:07.882{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53397-false10.0.1.14-49672- 354300x8000000000000000369607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:07.801{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-48471-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000424249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:10.898{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C305BF35E093751DBBC1813B398F2051,SHA256=6A6CA0DE693810659EC167D59F14A28068C925C20ED771DA5BE7EF870B65D88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:10.665{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B88B397F0488071FC3CF1258F42C63,SHA256=856D06D4A77271A9307E5CCEC5B3CFDD6F0F94023EB515C3FA55A05595B2AB4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:10.032{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53397-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000369610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.145{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53398-false10.0.1.12-8000- 23542300x8000000000000000424251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:11.915{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F6708A5B44BFEA0539C7A3E68C4DB9,SHA256=581AB8AF23BF182F61D07E6DC5000345F8796606965CA058B8354BAA4A666612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:11.666{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB13C8455D5E535FDA6A667FD552C525,SHA256=0FB16DF2EF24880C6A57D68DE86B57FA97600E9B311116D2CA15B35AAEB44631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:11.373{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62041-false10.0.1.12-8000- 23542300x8000000000000000424252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:12.949{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3686F8A91C85498474A8E552D1577AC7,SHA256=14124891D7A5AECDE2B5E00C98519043E69632DB7801C7223AEC038D84F57B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:12.681{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CD75EAEAEEF4644D4D56F6A3CE9FD4,SHA256=3B5D3060BFF9EF7B7321EC664629FA631F5A2B12D2B025CB2459A2B4CD137FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:13.697{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667137F732C26090F3292033B4D5EB59,SHA256=A207C296B6106CEC060036EAF44415AD619BB329B264563E9923B5475180CAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:13.979{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B01A270C0831E4B4AB69DBFE079F611,SHA256=5320887A26226A92D8B8F022E0D7EDAD0C721610CBCB4E8758C57AD9B71AB55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:14.697{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D976B003AD1E1116117C6A8520BDC3E,SHA256=0EA9FB274B8E04EB0BBF8265B4FC699F0234BB40141A0989E5EC2E3A5A2A9A66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:15.698{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96B43E8E2E037385A6B356CA75626C,SHA256=3DCB52E88217F1ED69CDC45CB284BAD2BDA0DD3E2A48A14D81A0DB7DA768D853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:15.193{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5011127E842E4319DE077F30223C8C,SHA256=4CBFBDDC8C5219EA8770941DE200BF8C6045BECA166B5D14E453B9200B71A670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:13.255{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53399-false10.0.1.12-8000- 10341000x8000000000000000369631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.824{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.714{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6C65E95EC488C5C7849886D96B25DB,SHA256=2CB86B47411DAB840A2FB4DD66485767592771468682BED6D68B132A79AE46B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.230{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF36A59E2C0EC83BCE9D97ED41756F4,SHA256=A7B038BCBA058F142465A5F34D0FA40356B1833318EF81AA2B920E011BBDE764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.015{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=4F1FC5D7EF50C35D2FFB2CE69CDDADF4,SHA256=56E45B518A9E4D1B2B431B5382ACED6CDD52F5E998A24A433951632E69B63B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.015{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=245B09017450215AE930DF5FD1FAB7B7,SHA256=D44CE0B6A64F02081F6F4DA2F7DBF298EB0E87461CD398F20B9460E6BC7A5089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.015{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=A06B5BB884EC7B0A29E3013300DD2AC1,SHA256=B114E592A94301CD23F7EE2AA865DE61DD80C95C27066DEC9B023B5666A6ADA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.014{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=31C9CCF389F2224DA2F71F30936E9AD1,SHA256=062B7FBA1B52104F1AB6AAB4D13DC9556492E2311CD059B4C7FE9BD3CFD66CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.013{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=6F1AFB58F4083694D4579F8FF7BBF66A,SHA256=BFEE651C46F3622456B9131FEE6BC1A95B2C873BB903544F2E02E206A97B1D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.012{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=E5D2BE68C34A71763834D431315DF4B6,SHA256=89DFDD240DAD476CD4298B348AC62972090F65FD0864473733B1DFA36E896D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.010{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=8CBFB1372F5723E8F5D267F131AC9A87,SHA256=A8D097818846BD5EA238E703A6A3091C6462A539750FBB803AB3FEDD30F7C775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:17.291{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62042-false10.0.1.12-8000- 23542300x8000000000000000424298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:17.261{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA58EF71297FBC93CB85C026B76CC9D,SHA256=16FDE2C403CE310B1D49D32F77EA519FCE56C2EB27704EADFA7B2D7B7009C895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.324{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:18.275{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6979AEF1964BF1C4EA45DDDFC1B9A27D,SHA256=550E0A3C5498479BB7549C942A5AA8F5192F96F5AC20FA3B14C20390327BDBB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.183{6F8252D3-3C89-6171-342D-000000000602}1668724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.105{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7368521EEAA4F05F6DBCCCB324656F7,SHA256=78C0AB1B2D4C36FC399A1E826286401D2DC29F952B6EB5B0BCE2D49A479FD13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.105{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4207C11849EF0E4C7099EC7922577A,SHA256=BD4B8952F44AFC3FA479E33F939F46232912B618410A914292A766490A52C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.105{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F5E3E992B27D59E75023F574A692E5,SHA256=F869A430F50D9C9241A1670ACA6EB383F9E41378607DA3BF96F23C18E949FFE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.996{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:19.290{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EAB12751329DCE72EFE0DC40D858EA,SHA256=AC59D4310EC342069507AA93F4385E4E2E6616DC45B421231E203290A79D4FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:19.198{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221B11D2ED433B73AB7D9C7570C003EC,SHA256=077101E17487174CAC2641447B58A7F5F5A6C0784A194FAF97DE234E7C3AA559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:19.027{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7368521EEAA4F05F6DBCCCB324656F7,SHA256=78C0AB1B2D4C36FC399A1E826286401D2DC29F952B6EB5B0BCE2D49A479FD13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:19.116{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53400-false10.0.1.12-8000- 23542300x8000000000000000369664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:20.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AB4A30A6A8B29044D79464A4E61FFA,SHA256=1728036C50BA1F94C6BCE3D4B112FA4CD3D59D0FA7E3B10884EE1020B47B34F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:20.326{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88C08882BC91A3B7D109B345E436055,SHA256=F3935AA03BAC732682B12E4B5030DE91685B1DDB01C44D46FF52A1592B2DEA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:21.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E642B7953AA1035205E54408681CAAD1,SHA256=BCF5BCCEC7DB3FBD3E14593206F6691830BFE15A65A5855A0EEA3E77A0FFB1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.356{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB562CB9DA2262B99FCBDD0C8AB080C,SHA256=4EA729199911BA8CBDCF3792FB41772485D82F4173614D118A45871CEF54ED4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:22.364{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62043-false10.0.1.12-8000- 23542300x8000000000000000424309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=2EEFD9045520784FF7D754447BB2ABC7,SHA256=337D2F0F73F8335718F59ADE317676CC5145674E2FA54EBDA89CC23838704287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=5BD43BC9AFA9797B5A6ACE9B29D48E30,SHA256=AF8B95EAE3C038F9D4196B042F1106C35543ED22267109B847B1AE2CA7D38CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=E5A0ACAE14BF8DBD2C49A111377147E5,SHA256=9E90AE660A1B9F3CC389559E24B4EE99E3619A6E6C0633868DFE92C3D5EBE749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=E13CC016645B621C31925740CEE5B5A6,SHA256=D64A35A42103640F5A4AFAD3C8D126FA2B1FFF2C6982C8CDE9FB61AF8FD92165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=6ECA3E9B7B5BEA37DB6933A2340A8DC8,SHA256=EF90E8FF57CF719BB8CC4FE8A7A3C5DD3E533ED99A252FEC65F1E12BAB0A157D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=35C600295F0E37CD9B8D49F0CC7BB4BD,SHA256=424D39EBAE9557CA3C9FFA42E29B956C0EB64202BC5BE74C6A2679A3F52AE455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=D915D4736ACD988EB068AB24A064FAFA,SHA256=90363451416C96E24AA7AF67BAA29D61ABB881469CBE4C188AC768B003B936D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.823{6F8252D3-3C8E-6171-362D-000000000602}15683260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.683{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C8E-6171-362D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791