23542300x8000000000000000423950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:27.645{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850D23E55252F80CD0DD8120A4EE6710,SHA256=4E9B0AEDD0E2EA6103170A95432EE3C7A050C8EB92F55CF5CE1C0848EC4C0A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:27.465{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C69D8F070379985747368B68B70904C,SHA256=1EDAB8E15035BF88CEDD8116B0668682948AF4A3F29508305E5BA29B0FAB0989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:28.677{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C298F9FFAB9586A764565FF4B7A0D2,SHA256=47A8D0C75AA54176C61C1089D988A503E546E8F6F2C91CABB223C12AF118C600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:28.481{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74794F09CDA0047D84C3E3F1CA988562,SHA256=1B292FF365F3CB153AA9E38B7B59CDEB5F4AFDAF0C4A28BDB27652440D5A8CD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000423953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:29.257{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62015-false10.0.1.12-8000- 23542300x8000000000000000423952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:29.696{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D030C964186290B9E595A7EB280D387,SHA256=C00AF11FE3C5B117D8F45AEA83049D93C1440EFA7D8EDD1909C27FE05082BBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:29.575{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620806F5250058E6C0BF000693B25896,SHA256=1723D6E2B4FD42ECE2D4B5F1C9DEA73B64DD93EB5B3F43F7497E5060B4B86D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:29.086{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53372-false10.0.1.12-8000- 23542300x8000000000000000369361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:30.622{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1C063E6756C4203F9626E53288EDFA,SHA256=106989E960D3F53F11639E2569C34BE29699D876E7D3FEF60EF4C07DF5B4E59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.742{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AA1A3540636D057AADBECB2B437628,SHA256=13E3337B87682B5B4C966AE38C8EF57B452F10D5E6A843DBB5694D2265A95E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000423969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.710{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.711{8D4DD44E-3C1E-6171-1D2E-000000000502}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000423961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.058{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:30.044{8D4DD44E-3C1E-6171-1C2E-000000000502}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:31.747{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF41A6E68769A9AF9426D98FD97AE69,SHA256=6970A411577FBC9BFC0039A219D5143C2EE8C4BC04DC303328924691ADB7FBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.756{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2692191C1E8141A435B861668DC2E0,SHA256=C379CBB91DD1C1F3AA99CED5621EA50D7F15FE73CDDA29C112823A0E15E67745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000423981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.556{8D4DD44E-3C1F-6171-1E2E-000000000502}56684704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.378{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.373{8D4DD44E-3C1F-6171-1E2E-000000000502}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000423972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.057{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B5ED1414D32FE51C33D7428E07D16C5,SHA256=1789A335EACC72B4A231C9F8737BA00B8997256D679026A59EBBD0025F33BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:31.057{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=538B2FD17CE6918716F4F1D4D676E6B5,SHA256=F76EBB3A8AD549433A4ADF051F6CD2AA78F9993781D99590F627B3FAA692C590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:32.778{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDE2A03328A2014B728B97D13E80B7E,SHA256=8631884B1128EDCA0E4AECB77F79483D5C65D8C29BD3A2367432203A0BD0DE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:32.774{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4208FA3EA9F70CA8A407B987C409B8EE,SHA256=19683D5F69D928893D69C1264FC7EDE9DE2593DBCA652CD557DA55660A113667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:32.393{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B5ED1414D32FE51C33D7428E07D16C5,SHA256=1789A335EACC72B4A231C9F8737BA00B8997256D679026A59EBBD0025F33BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:33.792{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A360097D6990590670B763D0ACB62A5B,SHA256=9558251DBD8C08FC5CB887433645EA1F89AB7428C953A67F2E854703FC00BF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:34.955{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6921F82B56A101421EDAEDE96F632D05,SHA256=B3D0C09D07243F57B81C0466025744D43EA76D81D24ADE8BA65AA6DC16F8DAD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000423987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:34.797{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566BFFDC85B6DC1F60B7487CC6F5E797,SHA256=E6591596848730515A9D0BE607E4DF04BA0B9BDB35BA515FB78FAAA8422DF5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:34.874{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FBFB3824BCFB617A05DF89D2076D90DE,SHA256=1C3247DDAFA84E3DFACF900A4AAE6B6621C4A7DA262030B735F8B1107955D0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:34.028{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A744BF839DCA72D63C0472ED5FB398D5,SHA256=A1595D063F8DD433E05C349BE59805E3426B345E7CB0E884BD398A1A8015374A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000423986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:34.351{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62016-false10.0.1.12-8000- 23542300x8000000000000000423989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:35.808{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017E1A0E28739C9D313EF1C1AED58BCF,SHA256=8C901B5AF7D45E7AA3BFBA3CDDECB15E468EF4554A3DBFCADF44A35CB41E65D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:35.030{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057E57DCD7E30C056C74265AF0DA1000,SHA256=0F77DDC0DB3D7880D9FE8C2B5AF86F087F97EFC162CC6B06C1655C377D3A79ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.416{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-44580-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.875{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390ADBFD7F12E05EAAF9E0B6F4525C5A,SHA256=428AEE76F6E5871184B31748ADE3BD855C73D84E2B4413DAC540DAB34D5D2C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:34.195{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53373-false10.0.1.12-8000- 23542300x8000000000000000369368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:36.045{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2290FF49C360497F8E0A8E49A8DD9B8D,SHA256=724A0BCB7C24C7933AFCD771DE14F986F4CBDBD494A5B86B4A3D5F806E5C15AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000423999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.508{8D4DD44E-3C24-6171-1F2E-000000000502}49445996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000423992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000423991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.340{8D4DD44E-3C24-6171-1F2E-000000000502}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000423990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:36.339{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B575723F2D440AB3BFC0442DDF4BAF2,SHA256=BFCAFAED6F54CB6AE18BF1778B65B6C06DA5B2ACB5F7A157869406B0A97A3C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.890{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B173AF3E6E23DABF1E9F43EFA8C9E6,SHA256=6B7DDDC1286A8B6CD7C636B06F6359DB4905A1AEDFC822A5E5C510A7C829A1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:37.061{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502037E162CF852000F4CD1CA591316B,SHA256=D6F65DD1858913C07F78A9146635C0F0A4CCCB17BAA029B911841296B22DE831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.674{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.669{8D4DD44E-3C25-6171-212E-000000000502}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.391{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264031BD4FE01AE09F93BF139214ECDE,SHA256=FA27FB130265672A0451CCDDB7F06F6C905054A9AAE205EA31F410753109695B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.238{8D4DD44E-3C25-6171-202E-000000000502}37164656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.007{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:37.008{8D4DD44E-3C25-6171-202E-000000000502}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.905{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AC00B00DC870B669B89FCD50F582B2,SHA256=03B09EA071CC9AF0325966C4936371E16E0E6E7FBAB978F1DAD1D3D98C943694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:38.061{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26DD74D1E4FA9ECB2DA6B8616CB98B7,SHA256=551E37A6E8C29E3DAAA56C0D2C545655EE9F138FE857881611AFAF1C985F622B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.689{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34EB3C474D80D60423809C0B6D732A24,SHA256=775260A06060185B4FDD64031BABCE29B17615D002FC7C1DFD6172387EE2C3EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.505{8D4DD44E-3C26-6171-222E-000000000502}50404692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.352{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:38.353{8D4DD44E-3C26-6171-222E-000000000502}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:39.919{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC4623801F530D62EC1CA9CFF98013D,SHA256=07849727A96026324866679D5FAB78E54D61DA0512BD1F1AC986BBA5AAB48A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:39.124{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967373E490A5C2D9A4FEA3E77B41763C,SHA256=F156385872F72EDA41B8B353E5FE143142E1671418DEE0EA6DF566B82CCA6068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:40.950{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FA565A73B4B48AE56C99738392DE2C,SHA256=EF27003C32F137E8D1DA0785E2C67C4800D8BA0D55936A19FC51CE354050059E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:40.210{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62017-false10.0.1.12-8000- 354300x8000000000000000369375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:39.310{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-53183-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000369374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:39.275{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53374-false10.0.1.12-8000- 23542300x8000000000000000369373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:40.124{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B32D29156D93A280DF685F75DAE685,SHA256=CAFC91F76AD5DB4D594555A6B5918AD89D44FC549091EDAC977A3CC717C4F7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:41.966{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97C30DB9543F6A3FD5C4818B1F07BA0,SHA256=17B28C4E7367C3AF4C001CFACE3ECD1CEC0F426DCC6FAA1EAFE2AD7E04C5AB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:41.139{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CD26E6C18EBF7F91137301E5E2D3A7,SHA256=CDBA65439EB23318E1E0464C74526CCC3E44D2CD3588C96C06F56810632C6B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:41.077{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB94068FBBB4EC82A68A9B88CEABBD4,SHA256=FF152C7A1F130CAC1FB9C05F8774AEC44F4BE8BD207E2A43D5D9A9EF2C877B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:41.077{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0ACEA2F7D10BDEAE820EDC0D0F7CD6F,SHA256=EFE5745C52DFDC73C568476416906A33632C1DC9AF573817C8029C7F88FD32B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:42.985{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBFD5091F8520787816A3304EA7E30F,SHA256=D1CF1D2887D3E8B09D00B2D8BB2723A7A4EEDC24AEFF5A8932536B47612E85D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:42.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D427BF9FE55A8C8DAF90480957A67F62,SHA256=748D5434DEF57357ECC1BD572FB10EBC5EAE896B19019337F43F131B49F654D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:42.229{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53375-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000369379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:40.080{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53375-false10.0.1.14-49672- 23542300x8000000000000000369381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:43.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C9B883C18475FDF7D8B9EA50E26CA5,SHA256=4EAA644033AFCBF62EB6DB8BC4E856CA91AC1436CECB52AA64889D9515FD1F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:43.999{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CFCCA7C37E93F00BCD7963A5633C18,SHA256=FB024E472AF95C60510C986A2A53183C7E7D9C3A9F0ABDA643514290C9972F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:44.733{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:44.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5DC40FD25A087023CC352AE5076A32,SHA256=E46E55F9A7170EBF1CC5C2A4B854F52BB9D6DC629B34BED252685F119387AADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:45.155{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C1B29A492ED2D23F2EF2E519BB8449,SHA256=C4CC05B8735500B9608302E72D38BDFA757F6EBDD0515BA8BC0D2425BE704FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:45.258{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62018-false10.0.1.12-8000- 23542300x8000000000000000424039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:45.014{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DFA70DE17846813F6E00CDD13BB57E,SHA256=07EF5D9D02B16473DBF2292975DCD5D8E7201321F94A8C2A71899E0C19691CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:46.156{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD51019547747071DCD6E4CD6875C154,SHA256=11948E23A52A06F57184ED3DFB51403B854DB7F73802D2883141F2AA74E9F591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:46.045{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDBEDE9154A394774BB3FD9767931D7,SHA256=C8FD89D97428DD7ECFE4E70F267C5699779DAE9080272FD2871143F7229449EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:44.728{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53376-false10.0.1.12-8089- 23542300x8000000000000000369388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:47.170{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9459AE481FFF8BBB09612B67EA20C988,SHA256=ACC8612861F925D45F2785F1197FD80140CB2B3047C88B801C791A7B955095AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:47.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BB3F3BBCC1831CB32DF38F20789B45,SHA256=BBC7233053C51CFF4A2BD92C7DA09402C0BB618FF44D8191BB596B97231175FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:45.228{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53377-false10.0.1.12-8000- 23542300x8000000000000000424043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:48.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD4D88C19F6B5608A4892AC9EE325CE,SHA256=395ED4CD8075573875ACB357E04ACC5652107AABD3E0D0760C9F77442C75C21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:48.170{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6616F11BEC778764764D06ACAB731678,SHA256=D5C1830F44798C5703012792A0FAA7B6C92E3D82755564D6AFEF19E3FDCD58FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:49.095{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5FBE3698FD93410EF7070DAC48DDBA,SHA256=4FB16EA32EE639084A0C57DB85203F49E9BF14348893F577E475ECB7D084FDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:49.186{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9184B9E89072CBD7187B4868A758F37,SHA256=C06D46CA6333C67E08C6F30AD6B8F29E8D483A4B79C55FC532B37AF8AD4B4A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:50.485{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1584MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:50.186{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294F929C63B040D22DDE4C55F77E5D7E,SHA256=9B9A87A3A6B4E05F24ED7E3EA78357F840791E795B2DC3A4B26BC8B3AC442576,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:50.338{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62019-false10.0.1.12-8000- 23542300x8000000000000000424045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:50.109{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F1E05C51DBF3A502464F6013D18592,SHA256=30E03EA1C8A8507894A25F3D9EF813B10AC382C60B96B33344E2F5BA6AA68AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:51.500{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1585MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:51.202{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB87D62B34E61C8B03A3702A9E33E5D2,SHA256=BC7F83C9EE5E04EDF5DBEFA7E1F9A44A18D326239AF7F00E89CB977D5759ADFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:51.140{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37F9B22631BBA1DB914250CC8821C4D,SHA256=112C60726F7FFF35990E9ABE11E1659EB93E24629F8A8800A6FA24C1E5E83E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:52.160{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3E43246C7959B9562D12CEB4394D4F,SHA256=A860052F628E558ACBF7395A76C2F9ACE2561482498C8AC110FCE183FCE546C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:51.150{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53378-false10.0.1.12-8000- 23542300x8000000000000000369395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:52.203{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5FE4D7D51082E9976743A3B7A013C6,SHA256=977193B04B8758247D57FABBA9A8FA0F73A70213EF1327AB977B82A497F9D19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:53.178{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF138C2F3D2B7FF5901368DA84E2F5A,SHA256=65491979C6A58682CE9E5288AF0286EEEE67E5744F0FAC19F62E66B5C65DDD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:53.218{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7793D72FF6C9272DB77AB271E679C1,SHA256=56A8454A97A615E1C293F1F8580084905B27E6B5C6FEFCF4B08E271A1FF9E1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:54.218{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777F618460B1D82934A795D7D4890AC9,SHA256=F8C43129F41A5C1CAA0F29324CC07C3491648EED992A7BBD927FF33FBF4632AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:54.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39F1EA94D44633A81A297ED411EB72,SHA256=61AFAAB0B8F6626DE32F8DD738055E3ECAC2BC9EAB8DD263AD24727E3BF1B399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:55.223{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D9D1B5A89E5BB60E1DD278A3DB90D,SHA256=773BE3EEE4F7768ACBC82B5BFB1E25D1E147CD42BC9CEE7605E78E832DC01CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.708{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED96779930F7E7BE45EB77EEE62D7AE,SHA256=5C6D7A5972ECCC78B5E58189E2DAA0BE0A3EB977BEC8DA211F863C8528DA3A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.708{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F31314AB53F863D1D462ADBF0BCDE1AD,SHA256=83DBA8491DA2EABEE1FAB0CE8D0C2A881D7FEAF72D766F02CD6D3F930B35820C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.414{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62020-false10.0.1.12-8000- 23542300x8000000000000000424051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:55.224{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F830D7FC77BD5EE5AB4A4CAE12A0AD94,SHA256=F03DE7AD6DCE77CDC0EC31B913DB9FF04CE8783C3B27134AE7BCCAFBB4795440,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:56.643{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-34931-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:56.238{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32330D4E7C8DB608EEF7A7750CCA5DF3,SHA256=FB67F4A4CBC534D525EE7C1C601885CA45A62ED5BACCAF7D7AB329CEA7FA4A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.223{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C7923C82C5052B3F2BE9D4D20660E4,SHA256=4E62C8852888839EFD5816176B461492776B1D25E173A46AB8215E57376E7A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:57.574{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:57.274{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59ECBE076752C3E968416B4E54AB9B25,SHA256=75039F7C299DE0DE7D7F500ECA02640E2EF5FBD7F446904DF9D275B37BAF7FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:57.833{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7CAE926A2DA18ADF108979E3DF8353,SHA256=FD5B26B7F6F2C538C80ECB04ADD4FE29BFBDADEE989C7737EE1DD10108A98A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:57.833{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB94068FBBB4EC82A68A9B88CEABBD4,SHA256=FF152C7A1F130CAC1FB9C05F8774AEC44F4BE8BD207E2A43D5D9A9EF2C877B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:57.239{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A427B757661DD7F385C8E741E1DD8F4C,SHA256=CE78C45F078ED5A7D4CFDB28F4D4657F5AFCC125DCD4A6F151997B63CFB3E659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:58.304{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A93B894FCF1D48B35A8A4185A42296,SHA256=7B93E3E952E7123E81892396EDCCA9CF47C25EE1E14CF63F516DE81E14824407,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.681{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-41122-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000369405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.234{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53379-false10.0.1.12-8000- 23542300x8000000000000000369404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:58.239{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020D7797F1D8F8DD04452A83FF3405B0,SHA256=6E78CAD6172C1D8DEADB53A74305CA48C31D4C60211DAAAD0B97787D90160E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:59.710{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62021-false10.0.1.12-8089- 354300x8000000000000000424061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:58.977{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53380-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:08:59.335{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829812AF3C3F17DB605CBC5E6567A93A,SHA256=F270BF05E475CFF6B5971D1F0F00902FC9FDF156751C6B6F0D6B82E194DA609A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:56.828{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53380-false10.0.1.14-49672- 23542300x8000000000000000369407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:08:59.254{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96521B1EA53DA253EBC57F90E2EB6915,SHA256=49567266EE22A3B7D6B199395CF853B9257E2FF8BEE472F60943B644600C076D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:00.270{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1B11A82F2B767DAE73BEB9D80569DD,SHA256=ADD303600C32BAED89EBA1A232E4CB535BA660CF5C9794C140FBF73A52484FD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:01.277{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62022-false10.0.1.12-8000- 23542300x8000000000000000424063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:00.387{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311D567A12C9A8A77AAA1E89917CA66C,SHA256=A9C0E525DAE16DFF3DFE27C3CBDC0CCB6CDAB7FE0788C0E1ED1DB4201721FAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:01.402{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F28555831884ED31F820218ADC5845,SHA256=CCB7FB0A9493BE9C99D22C9E5F4B953A95659877B4B4347777247F8A1D853785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:01.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C17EC1605BC1F2D9C8B43996E2F1E,SHA256=77056DDA591D18FDD904C8D0868884254FA498F7441F97C6D094BA3EFFAC7C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:02.432{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64917E1394A9CDD4C4838DB27C14CFF1,SHA256=9311E13AE858CF574E1856CE39F1ECADCBE676D051E40AC3FA6707EA3DF6A8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:02.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE224BF9C202FED8571862184D27497E,SHA256=6D07EE5C72BF2B1BC39020D23469E1CAFFFD6751A97C8EB420E13DC1CA9B0D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:03.449{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4AD985E982C1BA689DE00BB80C41F,SHA256=53D1EAF4C049C9C7F4E8196FC686E900443A229D01DD0292BA7391EC5FF2C666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:02.124{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53381-false10.0.1.12-8000- 23542300x8000000000000000369412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:03.286{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC73BF441B92ABE405583470F06F8BE3,SHA256=4D9BA73231F974CD20555D1882EE41726F5B884410044BAE3EF362F5FF7ED3F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.473{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62023-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.473{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62023-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000424070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:04.467{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA664AD8CB1D3CFEF8C2D3474D389254,SHA256=E9DC115D2FCE8A4E6DF1E38DCFBC9AEA2C2BD9865FF427639C9BB6B5D4BECD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:04.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CB6A53247388441CC40B38574680B7,SHA256=92B7F5DFEFAA2CE5E94AC3C35592BBDD6F6002471F00615D5C16AA8E458EA626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:04.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E44BEB5D093EAE99BE3D392C03C265E1,SHA256=B107B28D4E580D141C416FEE77B63D3901D3C5DE116D810298CF5FD898B29284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:04.330{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED96779930F7E7BE45EB77EEE62D7AE,SHA256=5C6D7A5972ECCC78B5E58189E2DAA0BE0A3EB977BEC8DA211F863C8528DA3A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.482{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8150880C5BF660E5533C7189D8F12C3A,SHA256=70DD3F96CFEEB19BE5BD29EEFCD9995FDAB399951A0165D6FDE86F9BBD3AB4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:05.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D333E50DE01A2F8BD63D6DA640A226C,SHA256=83CE1A10FFA765638C4A4A0DE294E4FA52CEC8C169E923391DDEC7A8820225BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:05.032{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1584MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:06.307{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62024-false10.0.1.12-8000- 23542300x8000000000000000424076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:06.497{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770703B9273561A5A352F31F53DC7E95,SHA256=226729357992875749903E060B3890982B70A6E73B0875F3A528EC24005B53BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:06.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80552D1D87F94C7CFFB5C973E19C8B7,SHA256=0429F9DAB6F157C3F00135DAD665AE9B33DCFB6BBFD64E8DF51E540947DA5292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:06.045{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1585MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:07.512{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF66CCBF7525307A8490BEF0502F0C4B,SHA256=E577BE37481194C230EF13D906705EB85F729A6B2E833FD6DC6041B768823A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:07.301{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CE761FAE1986BC8ED5CB2D7E9D3C0F,SHA256=55B3E043AA1FD46C9A7B8F894453AD8922F75857DD2DF5EC0D548BEF18482574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:08.546{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DDDC978D52FEAFCE85A228E9FE175E,SHA256=470068B3B0BEF73CA4460C257C71DB30A15A414FE1AF43EC739788C4CDE3817C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:08.319{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776C92E3C0AB6635918E78C88E8DD4C2,SHA256=43200ADC41564FD9C0A5E6E406C665232FA9DC8792C9065B71D3B78A72726F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:09.564{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40106A9999E98855DD4061D6A3AA7BF9,SHA256=A9A0265623B7188D69BC72D9D5A43F4BABCA353664F422E71FAF4ED22F0FF41C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:08.062{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53382-false10.0.1.12-8000- 23542300x8000000000000000369419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:09.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358C69C64F6D803491E21A5537AE187F,SHA256=D82716255A234E60BDB1D219E60971DEF285EF2ACF8107207884F67C297308BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:10.579{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A99B4E5B2ABBC538CAECE0359741FE2,SHA256=9C46BBAE2493BDA368DF2DE72F677EC7DCDEEA63A8710178313B954C8AE6CF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:10.333{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633FCDB6992C0F54E41FC849BFF36637,SHA256=1993FFCC542CD052F542F2C6D36798B352F3B1EB4586088D7DCA4CD958E9E866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:11.597{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD1F928729F15DA5F6A8FD8CF259D00,SHA256=5DD50A3A10FA0C85213A7751CA54B88E79A79191EDA1C121100FBD15B52208EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:11.348{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C763E21F056246CC3F36907CA275C11,SHA256=D0F476A57915BC7696E6CB6624A330694B35FA3523D28EF669C98978BAE461B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:11.401{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62025-false10.0.1.12-8000- 23542300x8000000000000000424087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:12.927{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57055092FB2C06A232BE954584F05DF6,SHA256=23019654F09266BEA35217A8F5EA2CC92B971F96E5B48CC5982B67BA548E0B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:12.927{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E44BEB5D093EAE99BE3D392C03C265E1,SHA256=B107B28D4E580D141C416FEE77B63D3901D3C5DE116D810298CF5FD898B29284,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:13.922{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-21438-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:12.612{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4229D7185125B8780900A5464BA74EB0,SHA256=5280466D1C783391D88B3D1C0B5E904914A4656DAFFC89F10E16EDD9AE3E766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:12.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1398ABCD823D16C6508427019AAC0B36,SHA256=8BD0D8719B5096F035E2A7F9114A2E2FF3726287F6B045924C5C300C53EFB52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:13.646{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A17024D4C5D6E3A5B1BB2481AE8E627,SHA256=A87B9A6DD4CCB5E8E7ACBA4FDA5ABEE24C2B4A70F2BBED590B3ECAE81DAA6482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:13.364{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA84E9C0F2C6EBADF53B66DCEEE7BDA3,SHA256=39CF11CF4420732814D2DBB85873F1EEA8E379A75482E5D4707E1A1962493798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:14.665{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE3695D7DB056636BC05831157CF7AB,SHA256=51ED3FD0FA45FD8080C0A6727893AE65B1CE80437D73F8653B2866AB5DA77D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:14.379{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D30592DFC0CF88E6638C4C4BAB0D1E,SHA256=0D40A85AE3A4B5D0DA574B3A590D2C6E6A93899EFE33D21E1DB5B7C30F3BFE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:15.680{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3E0680E069905DDE8DDEF7BC2A86EF,SHA256=CCCC6FB70050E5E7AC3FECC9EE413E4C942ECADCE99624766DC911D45DD6C78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:15.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1A1428F887BC5181C46772F924E7E9,SHA256=A12EBC0839516F2EC682842E1B8F7F4DCAE7949C5A5C3FD31E1F77D8C1E9BAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:13.203{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53383-false10.0.1.12-8000- 23542300x8000000000000000424091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:16.695{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98E584F2CDEFAB27BE095871F36C00,SHA256=FDB65C3DF4B800C14FECD6C68F9652679FCA05C8A89EF75576072EC1E02385ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.818{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.819{6F8252D3-3C4C-6171-2B2D-000000000602}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.380{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED841171C8CD994BBC5492219049914D,SHA256=4055F350FB183B7CF106807AB271063D93136E64344CE7E8ED5534E3F6076866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.130{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3374D0B4596D9CE2F12DECBD21F52F33,SHA256=91C6E398CE7ED93B321C1A260DD8C1481D06857761DE673F2A0E28E5028B3D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:16.130{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7CAE926A2DA18ADF108979E3DF8353,SHA256=FD5B26B7F6F2C538C80ECB04ADD4FE29BFBDADEE989C7737EE1DD10108A98A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:17.725{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E340DE948CAC55240AC93BA709806393,SHA256=E3648CE3870A59C45ED7FA7467ECBB881B87AA44F82EC809E865FE0D5BC1F7A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.552{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107F42036DC1A2BAC3A84EA0862AF9D4,SHA256=D1BD7BCBA669596A37C9BFCF4C58980C8C3A2D78C2E26C73C400D4AD3DFD88E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:15.150{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53384-false10.0.1.14-49672- 354300x8000000000000000369457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:14.954{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-30144-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000424093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:17.300{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53384-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000424092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:17.254{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62026-false10.0.1.12-8000- 10341000x8000000000000000369456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.318{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.319{6F8252D3-3C4D-6171-2C2D-000000000602}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:18.761{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5C5E27EC479C6E544F2E9195F316AF,SHA256=62480D7FE82779D237FA8AA51FC770646CEB936FFB782AE4B150F3CCF4CD2650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:18.443{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6700137F1A2710A21192FC033AC05FE,SHA256=B2DF9F108EB1740B0DD966B6C9C169DBA845000EFBC9FDD268246547C6A2A0BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:18.177{6F8252D3-3C4D-6171-2D2D-000000000602}34602840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:18.005{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3374D0B4596D9CE2F12DECBD21F52F33,SHA256=91C6E398CE7ED93B321C1A260DD8C1481D06857761DE673F2A0E28E5028B3D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C4D-6171-2D2D-000000000602}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:17.990{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:19.776{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E0DE433A2EFC43BFABE339EF049648,SHA256=BC740ABDFE60502E5733AF2A4E712988129E64B3305F43E4941B76F706A1E480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:19.521{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8311CEBF19FD1C71CAF1315B81AB7CAB,SHA256=D331C97522F0D0125B44ADE2888DA7F76D3C3431570007C0E74D2E1EA09AAD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:20.791{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F179BC695EDE9A172F43BA58C9DE5C1B,SHA256=32958AF43A04D38390F9E5C605FA85E0505A32E5839FFED6F5D51FBDF8B91169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:20.568{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BA66CC3BC59B6D89174DE13FACAA6E,SHA256=7493C8D39999FF78A78EAA2D08329CF8C2E1AEF05A28AB5A95A6672D22B32093,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:19.110{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53385-false10.0.1.12-8000- 23542300x8000000000000000369479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:21.802{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD97EEFFD0B2CFE1694F18ED9EB6489,SHA256=25399C0310B9AE08454161E853971E9CA2FEFD56CEC1FF44EEC1B1E85522EF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:21.806{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78633AD87662ACB58AC0398779C09C29,SHA256=284AC902F32999290C06A94F1231E72293D4F70DABE7D3C9B11BC76CCF20C7E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.896{6F8252D3-3C52-6171-2F2D-000000000602}5162552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:22.839{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8100DB981147FF3A84D45B814F00C142,SHA256=69738A2EE564C12B0B74DF37A8D3DF0F5FE98A4CACB35186280A7FCF4DDC2964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.661{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.662{6F8252D3-3C52-6171-2F2D-000000000602}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.380{6F8252D3-3C52-6171-2E2D-000000000602}27641640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.161{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:22.162{6F8252D3-3C52-6171-2E2D-000000000602}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:22.324{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62027-false10.0.1.12-8000- 23542300x8000000000000000369525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADBD0DC87B5CDC4AC5BD35280F68A1D,SHA256=2239F1B8516EF73A67C89195A2074EE578000D113E5BFF2E508692CC7C14853E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:23.888{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDBACC7735B3BF65804EADCA3E7EE79,SHA256=15FE3B4F28AC5F9040CAB16F43626B55EBF5BFACA4C52EF28DDC5CC69BA40B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.396{6F8252D3-3C53-6171-302D-000000000602}16923864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.177{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC4559A1A35C32A0747395EB65121FF,SHA256=C6C556E639099B5F99CDA424A1DF26C6E56CF553FBCBE569556121DA6E673E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44A3F5E36D5345B2C0B9ED18A68BEE3,SHA256=7875FDEC67150CD58586D26D4A1568BE47F2A544379C85C5134247A633A3675E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.161{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.162{6F8252D3-3C53-6171-302D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:23.099{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA81BEE8CF02C0E12F974B2CC2EEAD34,SHA256=FA73AA287994AA0B1AA5F0D74DC40A7BB2E9F7C23B1244DC9C9C55DE3B193C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.927{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162EA136DDCBEF2CF523A2E9ADBEE314,SHA256=C7078C97A50CF9DC0904E2E6D6A0B92BAE5E3E71EC3502B598AE7D53D5B01CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:24.903{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207B8173D504734625EA42B70221BD9B,SHA256=F8A5CEA0B53D1001256DF26D0382D8E34CC5809D57E221ACF15B1DBFFEB5FA63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.302{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.304{6F8252D3-3C54-6171-312D-000000000602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.161{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC4559A1A35C32A0747395EB65121FF,SHA256=C6C556E639099B5F99CDA424A1DF26C6E56CF553FBCBE569556121DA6E673E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:25.974{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4798F6B7441BB7B5095B67871FACD390,SHA256=188FA8DE8CA6B5CF1E00A547C73050F7DF5D9EEB9DB43D86B6D89616256ADB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:25.935{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41870C9D9ED9547CB87CF74DE15F75EE,SHA256=352D726BE6C0E6C2B9CA3C1A535EF6D04504910D268B730D93F22542961120E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:24.235{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53386-false10.0.1.12-8000- 23542300x8000000000000000369541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:25.302{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97580C75BF7ADA62EBA673E7DA1302FC,SHA256=A40040942EDCE97553CD5F52342573286C3F556165F60CE401C2FC06B9BD7405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:26.974{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ED4AAB7BEAEDD7746EB912EB6BB886,SHA256=C096C5C2AAAF9A65A9EB4834A27F8447A1846562DBCFF95A799571DB9A40CC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:26.954{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C2ED456F0FDA428CFB58B05E1C0459,SHA256=B9625793D0464FBA0B7C111AADFE49262DE2956D495872C07E92F4F4FA3B48F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:27.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3997A97D48B99876C80A520DE6FDF53,SHA256=3397479BCD074CBF999705B7C00E7564D762E8CD98D4BF5734B53BA56509C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:27.984{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81DB26C5B68BBF074E69C3C190CDEED,SHA256=9294339814E84FC09116C200476E37CD91A6F05FA65D7469619C2AED406D376A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:27.414{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62028-false10.0.1.12-8000- 23542300x8000000000000000369546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:28.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C4BC649804857C208E93A8576A53FC,SHA256=82432332B359354E067E13D473474872C67844DBBFE3692D1186B00C58C74EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:28.998{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EA1C7A558F01CAE017D37C680455E6,SHA256=2E7BD77F779743B44907082F100C107315E9B1C9DE4C17D18701899A3EDA71F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:30.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B74944A6E72D0477B376BE3405B478,SHA256=06C4034FA0C420CBC5034313519D06E431A5CE98D495204AB8D142848C2D9EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.905{8D4DD44E-3C5A-6171-242E-000000000502}15403344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.721{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.722{8D4DD44E-3C5A-6171-242E-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.050{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.051{8D4DD44E-3C5A-6171-232E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:30.013{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE890A3AC8EBB1197E503A947604C7AA,SHA256=F989CF9EB9A1F285E54A978049725A6675E776773C4CDA9F7794AB1C47629CAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:30.141{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53387-false10.0.1.12-8000- 23542300x8000000000000000369548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:31.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31814842B5C0F3EFDC28F0415172878B,SHA256=6BFE9327F0D41CF9EF77DCB45BC2CC1945C2E8E5FD8D83B255EE9678166BBBF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.389{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.390{8D4DD44E-3C5B-6171-252E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:32.033{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-10778-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.058{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5348BD35AE0CA0415CBAF499D7858E03,SHA256=D623ED507CC91ED6C29C9EED9E626D11F0AB55D7C40615DE0D211EB2409C3765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.058{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A17265B81A0841C44E9F102834B833E6,SHA256=EAE620EC3E979773EE0E2D42529078C956896B353D3400EAE95DE5261FC67A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:31.058{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57055092FB2C06A232BE954584F05DF6,SHA256=23019654F09266BEA35217A8F5EA2CC92B971F96E5B48CC5982B67BA548E0B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:32.420{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A17265B81A0841C44E9F102834B833E6,SHA256=EAE620EC3E979773EE0E2D42529078C956896B353D3400EAE95DE5261FC67A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:32.073{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E499B59265B3924A0BFF541DC9438FF,SHA256=F1AAEC12ACF5AB4301B21B0D0F538FD7DD7864EC7C922D1672E1153E263CA9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:32.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD28D8627A67B1179E28003318B5C28,SHA256=9CA3D1B57F5F753CEA136A6B582C3F67321BD2B48E83CCFCAA2F0043197C1707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:32.990{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CDD029F019D7926AC8E1185A24DC6B1,SHA256=B37EB947AFE91D082E619540F7F350131FC9ADD3625AA7DE779E6032CE2EE7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:32.036{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F40B68EA2042BBB4FE81B23E299DA90,SHA256=24EB3F30846F7A06ADF4630625715D2AAD3ADF4AF887826BEE5C641B9844F601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:33.068{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7B03988DC6F817591A8543424E93A7,SHA256=785183E7F2C2FC1AA76CC02309002BC156ED71C4F33560C3BEE4BF41A018C8BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:34.138{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53388-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000424141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:33.279{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62029-false10.0.1.12-8000- 23542300x8000000000000000424140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:33.088{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CCD7E8125F30F5B0A027977B440A0D,SHA256=41B0682DDDD6E5103BFE58E23EB55CE27DC7F3D2674B2D53C1EE9677FDE6ADB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:34.882{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=413CC045CE745EF223741AAAB97237AC,SHA256=2DD6EB1685FC3928AE40F180290928ADE859489074F09B31D4346CE3CD43FC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:34.224{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369D3EE17DDB0DC04E27016D65945839,SHA256=3F6694984F3C72D478AF6FCED7D94E2AB28574FA208C3D2962FF4279D6D3629E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:34.955{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F51C983763400985D76355859643E1A9,SHA256=F800D7083574514A4531E66E015A67DBAA6DCEBC3C3DC55F53A5329801BD989B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:34.102{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7578577A6D4641439CFA3FA1D35C4F,SHA256=D901C7FE3F5F17D8D634222257573C70793E4AE42D2DA59567C21AB80E0090EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:31.988{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53388-false10.0.1.14-49672- 354300x8000000000000000369554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:31.892{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-15363-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:35.460{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E74C683493FD04E58980D5F4032409B,SHA256=A8A56BFDFFFCD557601233598540254BC6FD9CD56D8027A8C36254E06B23069C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:35.117{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0605B2A3AC9BC92BCFD9B6DCB4C453,SHA256=37F90279CA4726A61AE0099EC97211E7B38DD7E4F01C9964CFB670EE44604BDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.937{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.932{8D4DD44E-3C60-6171-272E-000000000502}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.485{8D4DD44E-3C60-6171-262E-000000000502}50166124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.338{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.333{8D4DD44E-3C60-6171-262E-000000000502}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:36.154{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED60CC0553AD24E0FBF82A239112819,SHA256=6D5E3EFCC1DE9718ECBD034DD9E39D4ED822267A4BB4BEF4AE9D7477D51E7E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:36.476{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09B5AC6EC83575FC154851C1ED10007,SHA256=5C147CBB2A77357F33565F67E9622304B7D06567E6C79024F11BFB8A070EB1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:37.492{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23F5760EF489F82C2A8A0ACA465CCFC,SHA256=448C2958AFEF62D25B5C65D55579AD90C3E9FBE4DF2F380146CB36BB275BBB41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.784{8D4DD44E-3C61-6171-282E-000000000502}3362200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.615{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.616{8D4DD44E-3C61-6171-282E-000000000502}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.360{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62030-false10.0.1.12-8000- 23542300x8000000000000000424166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.353{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CE28E5185DEEDD1A089E17AB6BC6ED,SHA256=5AEAD037BFC0F4A1BD24F15B9B53DDB34396C2686417D70A8FDD289E8F663AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.184{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7A19AC6140E64467D1B1CFAD05FF40,SHA256=7A8F83F2A5E118FFAA4266739500559EA14DDD109C524F75E44F746D89780410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:37.100{8D4DD44E-3C60-6171-272E-000000000502}59964172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000369560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:36.034{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53389-false10.0.1.12-8000- 23542300x8000000000000000369562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:38.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574DB6444955341EB0273859755F0AB0,SHA256=B7AEF7E0747C46615A1C374A15ADC674A05B5C887E70ECF2C34CC4EEE8C618DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.621{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E9D46BD27183956544B66CAA7C197AC,SHA256=F43D6FF72EC19554722B1C7F3A662EDA525880B09690D2D4B634807DBC146F9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.257{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.259{8D4DD44E-3C62-6171-292E-000000000502}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:38.188{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD470D3B3E9B985E00F5BB940CBCF13B,SHA256=083ADA7E6C2061E65152642B4E2C97DA77B33430B25308F7D91831299C78CAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:39.189{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586A2EE0937982315FA5C6A1B87DEC00,SHA256=8B6FF5AA53523E58C86829F680E10951544C2BFABB499A542ADA72EFEB7E1BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:39.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1633919D2FDDFA0C92B5DE105C1E6FA,SHA256=56A83472CA23CA7A5F9D6AE3339E0AFB8C485806B235F0D8BE6901294900A91D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:41.033{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-61553-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:40.204{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADDECE5C47E4F83F68429D77B4FCD19,SHA256=F69FCF754C888F6720E68D4A1DF75283A0D59DDFADE4FC456B7AF9F3E842522C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:40.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5AAA8309112BB0C6C355292CA7F52E,SHA256=2FA0131DD8CB9CB5C83D0D409F8742BCE929AC0758386C2A1D7F99125AF42A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:41.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369D48142C02BCF094E3DD6BB8570A00,SHA256=CD7425313E4C730F2D1EF48BA1BE3FCAD76DC02502B3CFB16E124E0F2820BD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:41.318{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA684CF972CCE5BFC332F90766847D20,SHA256=459661396BFB814083D0A3CF9699001993EAEE4BF118EC3083272A433B6DE10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:41.255{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E7808C6782651A3CC8E65853849B5B,SHA256=3F19220223BCBFFBDBD1CFA97950D839C4EDB8C9AD305A5A32A9BE9A21C7EEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:41.112{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53390-false10.0.1.12-8000- 23542300x8000000000000000369566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:42.507{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D22AC63D582712CB08E24F637D9B86F,SHA256=C24C8DD7994049A361349DF6AA6529514BE3F9CB2C4E89E9A10756BE7320967E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:42.647{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local65507- 23542300x8000000000000000424192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:42.286{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC417F830D94A6470181AF1EADD74C7B,SHA256=1D94DB840938FBC5FA2F9A8A4C309842881F5EBC0E60CDC8FD3354C839C04288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:43.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C44AB7F07AA28F55B6FE9A3FFB25B76,SHA256=D83E78CABFF0ADCFEF53C790EC4BD23EF04EB7B02727E6D69DA7157E139EE971,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:44.245{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62031-false10.0.1.12-8000- 23542300x8000000000000000424194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:43.301{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2B912038E5FCBE646155F488BA0270,SHA256=44AC59BEB9226AE026A437B8F8EBEAB7711A01CB8E64CE199910E1932F141B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:44.757{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:44.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642D0924B63A7695B28988B3F64D51BB,SHA256=1C901F5DB8C5D73941255EE172C2E77EEB258390C45EAC1973CCE446FE504D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:44.316{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6391AEF08155C28E858CB2781EAA6B57,SHA256=3CC3B16636A2F9FD5177AF3354C6881EA3C73C77CA3E49E75E3F1BA4258314CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:45.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17D55CF49DEE78AF76A932CF191AE1C,SHA256=7F0436A415F07AB81F4161EC0EB37082E4B38C396666C254D8A31054F03EDC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:45.317{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90F58954757045D3009984FFB1A5581,SHA256=FC080A6561E4829B74E6E35A8BE6C8F834983EC3902CBE60A8DF20AB3559F62B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:44.753{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53391-false10.0.1.12-8089- 23542300x8000000000000000369572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:46.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78295B1B8AE7A32327869A53D7E71206,SHA256=43A3176178BFDEA6C81D88C248DF216E51AFC7AA9F3CEF94B84CABC1003760C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:46.336{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95402B291C2E8F36A405E246FAEF8A7,SHA256=90AADA50A0E27E19C6B93D9522F8BE5EAC74DBCDB5BFFF5E6A1D909271F3D1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:47.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF794B03233C3AFA9EA8861EF7B79261,SHA256=96B005F4D11C5197E22D44EAD5B8407BA4AC575FEF7998C8EBB315E7B9A6F946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:47.354{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1ECA63D24687070D97C5F3517BD688,SHA256=E2E7C38E94D586E6B865115DC6D7CD0C9F657FFE28147865B2C8D6DA416A3FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:48.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6866A19F18ABCF4B0AF2D4419390CB,SHA256=A4E22D674EAC43B977F6A819FD417551BA6BB9D0D4873E8C8B9EA59245D20815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:48.384{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE173E16B88CF8FF072915CC99D3840,SHA256=6D175BD86DFF88478F03766DC5772CC11B3AE472EA53587A46FC51905551F38D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:46.174{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53392-false10.0.1.12-8000- 23542300x8000000000000000424201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:48.353{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E99426DDD238ECE6A5A5A3535BA9ADE,SHA256=22F58C78E810E5C679979A8426D3588CD1257B8561E030C0B9E9CE677042D68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:48.353{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B192E0A4CE99529B21C9CB5F6A7D5BB8,SHA256=3936947E8809E8B5749C5E6EDB98D2B34ECAE1FD5C3A07F5CAF53D1BC8A73EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:49.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240EA41E10A88901BE1218C6A135F697,SHA256=A2ADE5070528C649DFC35C501BC6E8E185A3D3595BF60D6A2FB0006F910C8D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:49.408{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-54863-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 354300x8000000000000000424204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:49.314{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62032-false10.0.1.12-8000- 23542300x8000000000000000424203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:49.399{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917F88CB3EFB9C1771B6EE6C44959943,SHA256=7A61B3C99998C9B6E634F96D803532019FD827519DA6621CC49FB8420B45179C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:50.523{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1925266B158527736EF1716AC95EF39E,SHA256=732BE0A157DCE52F252D93C4A6E6231F401511D1D61F6B31252A2D62AC3E236D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:50.435{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5F04ADCE1D5FFD6850BBA543D442E4,SHA256=CE5375CCA0A10F8C7BF0A4945A40A876BA2363FA16AC56F808A74890EA340AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:51.525{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFE7A98F85C0863C1DF775203449571,SHA256=50A7ECCF44A51D1657B1073521B43DAEFE50B8B14088996B9ACE7B4650884694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:51.450{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBE4DCB79C4B8E8D45C8ACF407A4BD2,SHA256=C1DCB977BB9BED942E3309D9A752BDB7D762E79E2015A826ED73ED5BA7AD0E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.681{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED0EB292F3B70DA07485BBD104B52C,SHA256=DDD48A3691DF344F9D46E6288BF3A9A4FAAC16334540B4BEAA96EFAFCAA72A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:52.465{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EEECB53445EAAAFA82F4B1C146C0CB,SHA256=BDD7C3404A257C284D39C888FC1DF508D6F8FD3CFB2D8F16BD4EB5A0A8E09F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.027{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1585MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:52.149{8D4DD44E-BF39-616F-0B00-000000000502}6323872C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000369586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.695{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDF5551A185860595EEC40F0E4DCA93,SHA256=05C3BFAD622BCDE5470E5746D6A868006F64CB0AFCB3B354AEA2EB73313EA092,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.312{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62035-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000424216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.312{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62035-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000424215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.221{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local62034-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000424214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.221{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62034-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000424213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.212{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62033-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000424212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.212{8D4DD44E-BF3C-616F-1600-000000000502}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62033-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x8000000000000000424211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:53.511{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01623AD5EA13522029B9C8C8F6077220,SHA256=A8EAED04A7E0B3A958857F9AB18C9C48CF4DB017FB8BEBC8BCA48EF86787C2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.680{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64096C90195E967CF84FC06D41A7A380,SHA256=FDF4879D8F230F4BEC6E3EB8A4557AA70DAF6800316F9B7AC6AAF5B78B54207B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.680{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD28D8627A67B1179E28003318B5C28,SHA256=9CA3D1B57F5F753CEA136A6B582C3F67321BD2B48E83CCFCAA2F0043197C1707,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:51.237{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53393-false10.0.1.12-8000- 23542300x8000000000000000369582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:53.040{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1586MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:53.064{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E99426DDD238ECE6A5A5A3535BA9ADE,SHA256=22F58C78E810E5C679979A8426D3588CD1257B8561E030C0B9E9CE677042D68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:54.837{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435CC24B5EE801CEDE9588604A7C7F08,SHA256=A9EA57BE032058FE45B120EA6F7776C2310167996E61C2F5DB73E5D6270F7757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.828{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53394-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000424219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.409{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62036-false10.0.1.12-8000- 23542300x8000000000000000424218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:54.531{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF9F5A5F9E9CA9AA2B83D36A9895309,SHA256=A6F70C3E9FAC2F4F93BB0187BD363983DC66CEFDD526370A29885C898719C8B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.678{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53394-false10.0.1.14-49672- 354300x8000000000000000369587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:52.576{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-8295-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:55.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F5218904F25BEE61B0360375AEAB8E,SHA256=50C1DE3A027DB7C23E908246FA763CBA5DB301EDA34EF9F653DC479EA622AE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:55.609{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5A0DD46460C280AB2D9E9039669372,SHA256=2F9D0CD786D45E1F212172AC880F3599F7C2FA90A41B7E3A65CD32BDD78C7E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:56.962{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D58ADA6F928B82A1E4185C584DB381B,SHA256=8AE37E527A179D626C4C18E79DCA37E15953BD326D441E091E32BC229521EC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:56.626{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE8C96824B9AF426EEA9293CF27AED7,SHA256=3314245BB695912ECACDB75C36B53AB2093868B4BA464168DE08FCFBF04822A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:57.978{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B544CCEDCCC949D0990892340C2700B6,SHA256=17E405AD5B420811100A9F4BD8B3C8150E411F8786B9897AA23FE47ECA72E7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:57.645{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF8273449484FB3406A202E5D8C29A2,SHA256=9F818F85787157CAB72CB0FEAB2C54886A9B683A671BAD41D5AEE09F936CCD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:57.592{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:58.676{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCAC6D910431EA34E1DA5C44B360CE2,SHA256=0C22C3C7C366E860E83756B3A49753A6A64FEE018A0FCF5CC9B4D0831D6FF522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:57.114{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53395-false10.0.1.12-8000- 354300x8000000000000000424228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:00.283{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62038-false10.0.1.12-8000- 354300x8000000000000000424227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:59.736{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62037-false10.0.1.12-8089- 23542300x8000000000000000424226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:09:59.691{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA14E5F617B2D1918090AD351849CD3,SHA256=FD74F124C4AD8EF1E78EFCF40527B2C5A8FEB9EAD884BCDED152BC501B2A6C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:09:59.087{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C3061FC81C58101FEF53D6728C904D,SHA256=6DCACA5EDF9F35EE9DEE88ECEC84D3F5EC8F5425C227211336977282E7481A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:00.705{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D26364F492B8F9274B2A2816FE4D9C,SHA256=CD6A05047742B896C64CF57513208EA3EB80FF3EFD790BF0AF9A4E5D0597E19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:00.103{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F41FF4635C22B2478446F84AEB1AD66,SHA256=1B035D8119AC4D58EDB97B17CAA5FA5304808DBC812A5D3AFE50D02983E0148C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:01.726{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A041AF25072A79FD9423131546A49351,SHA256=A49A50F145DAC5C044F9FEFAC72AAA68CC788EB2C1D71E923E001FB479BFAA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:01.150{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50309B346599AD311E70E98F8946E04,SHA256=03BE81D913C3BF178100EC33398E899C3D858C40E04D450FD71CB4785CB43768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:02.740{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E45B0C78CC7B77034A974C8A7ACA546,SHA256=6DC3B78C4E6951CC70532639450B2168E84430542BAF4AF044C92E0382BB633E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:02.150{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A49F51997260309345169903A32AC0,SHA256=AEB23B99B1F600774073D0E4E197684D9D8C053AFDD9F5C5E924695F34F048C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:03.902{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4DCD814D67B0AEBB65968C13D158740,SHA256=994114502E94CA687C2CFE8D7DFDC2E961CDBA401DF8F3F75CA73345B4F9B103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:03.902{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60935E3D16ED5EA815779813DE04F33F,SHA256=2A102F2D2F39B08A8B711517C5BE4804B9107B80CE47D7F792EB4311DBF6F995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:03.755{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6E6D18CF432998282E22891D8D231B,SHA256=49751C605F9D31778FBF36BC4E42F602D9C81C3CE9A47B5DA604764E130558BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:03.384{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F8281169797766EC2903A8C287CDA0,SHA256=373BF7EF92666E74A1465BC2CD7DF9834F2174332513E1D45767D97AE11DDEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:04.770{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6B5DB52F7C5DAD2A523CC6E938A197,SHA256=5293571B62325DD6D795A5E0BB394246E7419C716D93658CC9471C1D9E76C5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:04.431{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0954DCDC499B08122205EBCDF63F1AD,SHA256=EFD21F0A97564CE5A60DFAAEA365D0D90BD9CD4377BB548589A067700797A36D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:02.208{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53396-false10.0.1.12-8000- 23542300x8000000000000000424239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.822{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86782F4437BB48F6746F3AF6038A57B2,SHA256=7A0645F5EC78D6946DF94D73E6EA004181DFCE2C4DE9ABDEA03B30EB529EB012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:05.509{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55700927F8A0EE7065B3C7DC02351E6C,SHA256=7558D558BB9177EF96DC0FB9F72E1CE24B92AE0DDBC48F0ADAB57F0FF170F9DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.478{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62040-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.478{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62040-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:05.378{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62039-false10.0.1.12-8000- 23542300x8000000000000000424241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:06.837{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1605B5AB2038A21389EF40E273638789,SHA256=AC3142EDAD6B8779A3465A7B16AE3D2EF2A8AD02FC531651BF1FA38B23AC0896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:06.572{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D374C96DAD536408EA7B300F22AE62,SHA256=BC875C98E2DF5ED2791B8F0AB94F3D668B6746267FEBFBA3FCBD41CFC071CB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:06.555{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1585MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:07.852{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E61D236BE0D5BCD4BE365AC0EB335A,SHA256=CA8AC41EF7248A0771367AF20BA226A59E1E25AF093041690CABFCC750587DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:07.572{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C781778666686E91BA79812574DB1F9,SHA256=560FB9AE99A0EFDD3EE69F0BAA71D0AD9E5BD580630FD3CA656D01DE1C3BDD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:07.569{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1586MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:08.882{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA39C0238A149116134B75DEFCCCEC02,SHA256=CADCDEB7E9C80AEC4E745A3721EF72C83D0EA86D0D97D3F2D85CCC45438FB2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.884{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4207C11849EF0E4C7099EC7922577A,SHA256=BD4B8952F44AFC3FA479E33F939F46232912B618410A914292A766490A52C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.884{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64096C90195E967CF84FC06D41A7A380,SHA256=FDF4879D8F230F4BEC6E3EB8A4557AA70DAF6800316F9B7AC6AAF5B78B54207B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.603{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4572425E11A399B79906CC8F1E79947B,SHA256=88D62DF36438AD8C7D18C8CA28A3F435A51E28C88A4697448FC976ACC46A2E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:08.867{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4DCD814D67B0AEBB65968C13D158740,SHA256=994114502E94CA687C2CFE8D7DFDC2E961CDBA401DF8F3F75CA73345B4F9B103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:09.897{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3504F7DED302388C88E043D0A9D359B5,SHA256=6C43ED58549D5D6075B1D227B74627E03F5AEB11B3C207559B1EFB1E08495F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:09.603{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DA87E7468EA26AFD6BD3F818B1A31,SHA256=11337CC44E06DD7D75ADBEA2216361142834CB257D0715B72564877B4609E567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:09.922{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-48331-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 354300x8000000000000000369608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:07.882{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53397-false10.0.1.14-49672- 354300x8000000000000000369607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:07.801{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-48471-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000424249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:10.898{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C305BF35E093751DBBC1813B398F2051,SHA256=6A6CA0DE693810659EC167D59F14A28068C925C20ED771DA5BE7EF870B65D88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:10.665{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B88B397F0488071FC3CF1258F42C63,SHA256=856D06D4A77271A9307E5CCEC5B3CFDD6F0F94023EB515C3FA55A05595B2AB4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:10.032{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53397-false10.0.1.14win-dc-185.attackrange.local49672- 354300x8000000000000000369610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:08.145{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53398-false10.0.1.12-8000- 23542300x8000000000000000424251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:11.915{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F6708A5B44BFEA0539C7A3E68C4DB9,SHA256=581AB8AF23BF182F61D07E6DC5000345F8796606965CA058B8354BAA4A666612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:11.666{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB13C8455D5E535FDA6A667FD552C525,SHA256=0FB16DF2EF24880C6A57D68DE86B57FA97600E9B311116D2CA15B35AAEB44631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:11.373{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62041-false10.0.1.12-8000- 23542300x8000000000000000424252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:12.949{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3686F8A91C85498474A8E552D1577AC7,SHA256=14124891D7A5AECDE2B5E00C98519043E69632DB7801C7223AEC038D84F57B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:12.681{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CD75EAEAEEF4644D4D56F6A3CE9FD4,SHA256=3B5D3060BFF9EF7B7321EC664629FA631F5A2B12D2B025CB2459A2B4CD137FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:13.697{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667137F732C26090F3292033B4D5EB59,SHA256=A207C296B6106CEC060036EAF44415AD619BB329B264563E9923B5475180CAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:13.979{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B01A270C0831E4B4AB69DBFE079F611,SHA256=5320887A26226A92D8B8F022E0D7EDAD0C721610CBCB4E8758C57AD9B71AB55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:14.697{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D976B003AD1E1116117C6A8520BDC3E,SHA256=0EA9FB274B8E04EB0BBF8265B4FC699F0234BB40141A0989E5EC2E3A5A2A9A66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:14.947{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:15.698{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96B43E8E2E037385A6B356CA75626C,SHA256=3DCB52E88217F1ED69CDC45CB284BAD2BDA0DD3E2A48A14D81A0DB7DA768D853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:15.193{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5011127E842E4319DE077F30223C8C,SHA256=4CBFBDDC8C5219EA8770941DE200BF8C6045BECA166B5D14E453B9200B71A670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:13.255{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53399-false10.0.1.12-8000- 10341000x8000000000000000369631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.823{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.824{6F8252D3-3C88-6171-322D-000000000602}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:16.714{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6C65E95EC488C5C7849886D96B25DB,SHA256=2CB86B47411DAB840A2FB4DD66485767592771468682BED6D68B132A79AE46B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.230{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF36A59E2C0EC83BCE9D97ED41756F4,SHA256=A7B038BCBA058F142465A5F34D0FA40356B1833318EF81AA2B920E011BBDE764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.015{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=4F1FC5D7EF50C35D2FFB2CE69CDDADF4,SHA256=56E45B518A9E4D1B2B431B5382ACED6CDD52F5E998A24A433951632E69B63B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.015{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=245B09017450215AE930DF5FD1FAB7B7,SHA256=D44CE0B6A64F02081F6F4DA2F7DBF298EB0E87461CD398F20B9460E6BC7A5089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.015{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=A06B5BB884EC7B0A29E3013300DD2AC1,SHA256=B114E592A94301CD23F7EE2AA865DE61DD80C95C27066DEC9B023B5666A6ADA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.014{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=31C9CCF389F2224DA2F71F30936E9AD1,SHA256=062B7FBA1B52104F1AB6AAB4D13DC9556492E2311CD059B4C7FE9BD3CFD66CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.013{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=6F1AFB58F4083694D4579F8FF7BBF66A,SHA256=BFEE651C46F3622456B9131FEE6BC1A95B2C873BB903544F2E02E206A97B1D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.012{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=E5D2BE68C34A71763834D431315DF4B6,SHA256=89DFDD240DAD476CD4298B348AC62972090F65FD0864473733B1DFA36E896D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:16.010{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=8CBFB1372F5723E8F5D267F131AC9A87,SHA256=A8D097818846BD5EA238E703A6A3091C6462A539750FBB803AB3FEDD30F7C775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:17.291{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62042-false10.0.1.12-8000- 23542300x8000000000000000424298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:17.261{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA58EF71297FBC93CB85C026B76CC9D,SHA256=16FDE2C403CE310B1D49D32F77EA519FCE56C2EB27704EADFA7B2D7B7009C895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.323{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.324{6F8252D3-3C89-6171-332D-000000000602}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:18.275{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6979AEF1964BF1C4EA45DDDFC1B9A27D,SHA256=550E0A3C5498479BB7549C942A5AA8F5192F96F5AC20FA3B14C20390327BDBB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.183{6F8252D3-3C89-6171-342D-000000000602}1668724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.105{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7368521EEAA4F05F6DBCCCB324656F7,SHA256=78C0AB1B2D4C36FC399A1E826286401D2DC29F952B6EB5B0BCE2D49A479FD13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.105{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4207C11849EF0E4C7099EC7922577A,SHA256=BD4B8952F44AFC3FA479E33F939F46232912B618410A914292A766490A52C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:18.105{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F5E3E992B27D59E75023F574A692E5,SHA256=F869A430F50D9C9241A1670ACA6EB383F9E41378607DA3BF96F23C18E949FFE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.995{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:17.996{6F8252D3-3C89-6171-342D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:19.290{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EAB12751329DCE72EFE0DC40D858EA,SHA256=AC59D4310EC342069507AA93F4385E4E2E6616DC45B421231E203290A79D4FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:19.198{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221B11D2ED433B73AB7D9C7570C003EC,SHA256=077101E17487174CAC2641447B58A7F5F5A6C0784A194FAF97DE234E7C3AA559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:19.027{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7368521EEAA4F05F6DBCCCB324656F7,SHA256=78C0AB1B2D4C36FC399A1E826286401D2DC29F952B6EB5B0BCE2D49A479FD13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:19.116{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53400-false10.0.1.12-8000- 23542300x8000000000000000369664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:20.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AB4A30A6A8B29044D79464A4E61FFA,SHA256=1728036C50BA1F94C6BCE3D4B112FA4CD3D59D0FA7E3B10884EE1020B47B34F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:20.326{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88C08882BC91A3B7D109B345E436055,SHA256=F3935AA03BAC732682B12E4B5030DE91685B1DDB01C44D46FF52A1592B2DEA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:21.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E642B7953AA1035205E54408681CAAD1,SHA256=BCF5BCCEC7DB3FBD3E14593206F6691830BFE15A65A5855A0EEA3E77A0FFB1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.356{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB562CB9DA2262B99FCBDD0C8AB080C,SHA256=4EA729199911BA8CBDCF3792FB41772485D82F4173614D118A45871CEF54ED4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:22.364{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62043-false10.0.1.12-8000- 23542300x8000000000000000424309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=2EEFD9045520784FF7D754447BB2ABC7,SHA256=337D2F0F73F8335718F59ADE317676CC5145674E2FA54EBDA89CC23838704287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=5BD43BC9AFA9797B5A6ACE9B29D48E30,SHA256=AF8B95EAE3C038F9D4196B042F1106C35543ED22267109B847B1AE2CA7D38CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=E5A0ACAE14BF8DBD2C49A111377147E5,SHA256=9E90AE660A1B9F3CC389559E24B4EE99E3619A6E6C0633868DFE92C3D5EBE749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=E13CC016645B621C31925740CEE5B5A6,SHA256=D64A35A42103640F5A4AFAD3C8D126FA2B1FFF2C6982C8CDE9FB61AF8FD92165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=6ECA3E9B7B5BEA37DB6933A2340A8DC8,SHA256=EF90E8FF57CF719BB8CC4FE8A7A3C5DD3E533ED99A252FEC65F1E12BAB0A157D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=35C600295F0E37CD9B8D49F0CC7BB4BD,SHA256=424D39EBAE9557CA3C9FFA42E29B956C0EB64202BC5BE74C6A2679A3F52AE455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:21.025{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=D915D4736ACD988EB068AB24A064FAFA,SHA256=90363451416C96E24AA7AF67BAA29D61ABB881469CBE4C188AC768B003B936D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.823{6F8252D3-3C8E-6171-362D-000000000602}15683260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.683{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C8E-6171-362D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C8E-6171-362D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.667{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C8E-6171-362D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.668{6F8252D3-3C8E-6171-362D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000369681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.386{6F8252D3-3C8E-6171-352D-000000000602}3380804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.214{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871365EA80B699469C359978FC250646,SHA256=132E8788410874EB0CD530F72A82BC24C5F2BD744EA96B8D060283FD7A9FE5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:22.387{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1445A73B01C2FAC65F3B93BBFF7A6062,SHA256=130B0284407222E65326AE10FAA2746BB917135B50C4511794306AD296FCB749,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C8E-6171-352D-000000000602}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-3C8E-6171-352D-000000000602}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.167{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C8E-6171-352D-000000000602}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:22.168{6F8252D3-3C8E-6171-352D-000000000602}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:23.404{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889922D56D53771F54FA592298B7664B,SHA256=E046B0C0D124E125C64144DAE2474ED203998983B8B466737A7E568B37CFB524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.480{6F8252D3-3C8F-6171-372D-000000000602}3440716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.355{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF060193AD2EF601895293B1F9439B64,SHA256=2B982AC0531B5BDCC49C63C647793DBED3DC732C6C6DC96BF9BC5C7475700B74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C8F-6171-372D-000000000602}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C8F-6171-372D-000000000602}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.339{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C8F-6171-372D-000000000602}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.340{6F8252D3-3C8F-6171-372D-000000000602}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:23.308{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D468305F94350A2472D814B9B3F507E7,SHA256=C1D531F17A86192D50F6A56C78C217F72A5AFF43C45953F7A7BAEFC5D4BE126F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:24.423{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21BC279D4E9781A24CCD62400DBB382,SHA256=77E944205DB01B848DEED9CD1169CCE459DD56CBD9F81DAA7A618F6DF2EDE42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.448{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529F457C2D31282FBF4E09ED85D19401,SHA256=662E303CF19280FFA2C2C5A93F55E2FCB3780B69B47460A5709F6AFDE8A30D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:24.354{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FC977223C2084B5C7A66AB9650B1D0D,SHA256=5B210FC7F728904EA6C271F1C1F9A545404E26A02057C77FAA79C78ED027A84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:24.354{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F331A4BD35FFE49EF31066BB6C9F557,SHA256=3B25A776F2B3EEE9D95E081445DBC2AFB8D09ABD10C4DE32BBCC9CF720A79567,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.339{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3C90-6171-382D-000000000602}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3C90-6171-382D-000000000602}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.323{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3C90-6171-382D-000000000602}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.324{6F8252D3-3C90-6171-382D-000000000602}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:25.453{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39808F0BAC0890518AF2110E58EA3224,SHA256=C7C89145E52068D35D59A22D2556627B1A23780F7F0BDCA4627BBF66518B7B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:25.418{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-29510-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000369727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:25.448{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D9E611C1C104E901DF9394D9CCA4BE,SHA256=04BF243CD1C212C542E650E01E6F2779FF9794B046E4CA523E3EAAF48B2A4674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:25.448{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E12379D4D64B0C37E084EF39E2BD73,SHA256=868043B07A57A9BB7F1541149E44E17007357C6C5494F9CBBEE9B8C54220E25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:26.464{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CB4FCC7E2BACC3C7251653674C01DF,SHA256=8CE6EC30444DA262DCFFB33364002285BCC0175F33DA972DA7B9F4A3BBBF5D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:26.468{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEA8DE250DEBD4FAE4C409C196A4051,SHA256=9F8F8AF53DF38EB4085A85E63195D35519D7CCA1E382C55680AB2FB6111FE216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:24.178{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53401-false10.0.1.12-8000- 23542300x8000000000000000369734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:27.527{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A588F90915A0D4C8417318EF15CDECC,SHA256=A147BB8FC0271E65D222840F6440217F775A5CA16D43BA05E55CA047102DC3D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:27.920{8D4DD44E-BF3B-616F-0D00-000000000502}9005548C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2A00-000000000502}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:27.920{8D4DD44E-BF3B-616F-0D00-000000000502}9005548C:\Windows\system32\svchost.exe{8D4DD44E-1AA2-6171-1D2A-000000000502}408C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:27.920{8D4DD44E-BF3B-616F-0D00-000000000502}9005548C:\Windows\system32\svchost.exe{8D4DD44E-1AA2-6171-1D2A-000000000502}408C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:27.483{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098444410AA247564789BF18DF15BC43,SHA256=8111DBCDDC029E11D0A9840EBAA3EA8E353011F0369A9EEF411B907367B174F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:27.355{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:27.355{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:27.355{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1500-000000000602}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000369730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:25.359{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.75.63-18702-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000424325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:28.212{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62044-false10.0.1.12-8000- 23542300x8000000000000000424324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:28.486{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA6740B26309A288CC2A4BAE5A4945B,SHA256=9149C694A720CF6251387BAE54DC3C62EC3636A6275C687FBCDC66811A5487E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:28.558{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD390F5B90DAB0E9F63A2B6F8C7EF98,SHA256=8CC77A20DC4142923AAE4FB8B745CD54E920670BB5FE96EDE0364F05C0E6EBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:29.503{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69E4CE664A284C3DE90A1CFB1C1B33D,SHA256=904F62594A14D35B392BFAC4B018708DBD2ABA0F04E2D27B9F29787B2346BBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:29.589{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A0554AE4652819C1BC07EEAE90FB5A,SHA256=0C5BE739C11A8926E0D6A37508D128E6DE63A245A3FE879D1B7C3F4563B55812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:30.777{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5B4AC51A2F337CD707493A0AE02322,SHA256=3CF69F0B0543B4A679580FBDBE871CA1CCF4A81B82703D2E35243F0B865E6090,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C96-6171-2B2E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C96-6171-2B2E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C96-6171-2B2E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.723{8D4DD44E-3C96-6171-2B2E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.590{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53403-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC6F881465C4A5A530F9EEE89E418EE,SHA256=4C3DC33F79883344AB84B09C93C8E468F10CC7486CA2CD1E15185B9C2B7D822A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.254{8D4DD44E-3C96-6171-2A2E-000000000502}27085092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.069{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C96-6171-2A2E-000000000502}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.053{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.053{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.053{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.053{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.053{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C96-6171-2A2E-000000000502}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.053{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C96-6171-2A2E-000000000502}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:30.054{8D4DD44E-3C96-6171-2A2E-000000000502}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:30.433{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D5E1E034845624A720B6DAE6AF0D97E,SHA256=3FB956E854DF071CEDC0DC92B146A7983CEDA3DBC763820B43ADEA5A5EE60E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:31.823{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2BA3E18DF3BE40EE55DA166E89A530,SHA256=689A104101A2AA8F4C1B6A65135CC2361748C0271EB44F5516B9117B87C27640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B058DE2F0066B19444B271278F389C23,SHA256=B494F96952E6E0E60954A0BD9B1AA8DE60E5DA0453DBE068F8298AEEEBC96F52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:29.439{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53403-false10.0.1.14-49672- 354300x8000000000000000369740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:29.342{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-46003-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000369739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:29.209{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53402-false10.0.1.12-8000- 10341000x8000000000000000424355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C97-6171-2C2E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF3B-616F-0C00-000000000502}8362804C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C97-6171-2C2E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.407{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C97-6171-2C2E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.402{8D4DD44E-3C97-6171-2C2E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.070{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5455CEE47141177CA7ACD4A9AAAD37C8,SHA256=00A3A2F70529106509169975E4705D6BE578261AA6358C0E3FA51AB314DDDE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:31.070{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FC977223C2084B5C7A66AB9650B1D0D,SHA256=5B210FC7F728904EA6C271F1C1F9A545404E26A02057C77FAA79C78ED027A84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:32.823{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A5ED5AF88B576D5308F463201E2076,SHA256=50BCF967C5585E8E374D029BBE3E639DF1D0E0378C1386FE77F68E95FC10EABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:33.345{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62045-false10.0.1.12-8000- 23542300x8000000000000000424358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:32.537{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F220AE3E3D3CE89498A639466CB0A5E,SHA256=F181BC353510D607138F4FE0BA3AE353802C58593F60207F9B3B19B8DE7BC2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:32.422{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5455CEE47141177CA7ACD4A9AAAD37C8,SHA256=00A3A2F70529106509169975E4705D6BE578261AA6358C0E3FA51AB314DDDE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:33.823{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A9C860060C87565C790E4749211E76,SHA256=23813CE9DB17D5C2918DC023BE0A0205947A8CA0CD2A66A90A7B2F76DD0A64EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:33.552{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B81B3DB38DE55569D655EAE144BC9F2,SHA256=85A37047464ACC1204AB5DF5E053F56E9EBF13768D8D8A20DB4120A8E12E5F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:34.887{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=73CBBB85B98D509CADA0D8E5C45A104E,SHA256=A961695B88EDB487FD1122D53DE559CDE87B277921FCD2ACB5468C97319A2601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:34.839{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F338E590ECCF51F6D90E1A0A553F662,SHA256=6C80498F2CC69B743B10194A961C6BE43C0C5C5468117E97E05973D928A9BE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:34.967{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E2E4E71A56A823C2BD05DAAC6BEF903C,SHA256=A9640EABD8D9B46D1A98597F7453E8ABFC85ABD4021DDC7E94E8DED08A019BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:34.583{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA74046B4D2D8D1376ED580FBB92757,SHA256=882D1E5F36352A751EB32AC77C5F56C30680012CC14ED36A58489B0624B2F272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:35.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE54BF8BB478A0C5C2E39D0AEE577A7,SHA256=E593A93AE8BCAAD99A0CC5A830D40670904C3C6B8E46432A9CB267DC5E5B989E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:35.600{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C619AE44C6AB44AB581CEACD7D24F6,SHA256=73AD409DCEDC65788113F646BB9C7B000861B7952E0B43A3738BA6EECD175379,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000424363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:35.151{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-10-21 10:10:35.151 23542300x8000000000000000369748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:36.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F9C40BA5E71BAF207F55C42563FC6A,SHA256=2584514B852725BC3AC1300A8FAA705EF8CC4EA8C22AFADC2AF631A5FBF28ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C9C-6171-2E2E-000000000502}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-3C9C-6171-2E2E-000000000502}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.834{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C9C-6171-2E2E-000000000502}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.835{8D4DD44E-3C9C-6171-2E2E-000000000502}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.618{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B54D5C1EAF7D5C9D4849C44FEAE8D19,SHA256=34BBBFE999E4097422531B42852AA7DFA115F7F3091E7EB2CE928280E3E54D1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.502{8D4DD44E-3C9C-6171-2D2E-000000000502}48801544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C9C-6171-2D2E-000000000502}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C9C-6171-2D2E-000000000502}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.334{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C9C-6171-2D2E-000000000502}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:36.335{8D4DD44E-3C9C-6171-2D2E-000000000502}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.649{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B19B2495B8592FBB226CF3C5DA9EE2B,SHA256=C334BA959191042E459B3BDD9A6EBE8715C8E10166B9D98F5E6C453659E6EF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:37.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612C47600F94D7C7961E9955E0D3375A,SHA256=489099320849EABF3BA9266BC5CDA0A09A0938FB9CF2008CE35F2168E1FE66B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:35.070{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53404-false10.0.1.12-8000- 10341000x8000000000000000424392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C9D-6171-2F2E-000000000502}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3C9D-6171-2F2E-000000000502}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.433{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C9D-6171-2F2E-000000000502}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.434{8D4DD44E-3C9D-6171-2F2E-000000000502}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.349{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EC204F1ECA127A1B73FF12498B70AA7,SHA256=C716B46FF7523D9ED44410A7D1FF28630EB35C05A48D99916B48DD2AE5160C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:37.002{8D4DD44E-3C9C-6171-2E2E-000000000502}48565292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000369751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:38.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABE8871204E4610BE2EEA3C2D143AB8,SHA256=3E332A70690F7F2D71C63992C815E12BD9D9A7C1A91BB2C76020EEF095CB0B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.679{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57837D638531B41D1938E87880E2FA6B,SHA256=1300EE5E859AC1C1EDD03D22F021D084BE3EEDA9FBEE29B2CA29C5173D303C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.448{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A25077E84DA185CD7B7E81EFD5EE575,SHA256=C45AFC15C4F9B5CE87BEDA52C726165F0F936C310DB43D10E7FDEED78844FB84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.279{8D4DD44E-3C9E-6171-302E-000000000502}4043192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3C9E-6171-302E-000000000502}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3C9E-6171-302E-000000000502}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.117{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3C9E-6171-302E-000000000502}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:38.118{8D4DD44E-3C9E-6171-302E-000000000502}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:39.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61B1B709AD8BC43D744CEBCEAE8B3DA,SHA256=74ACBA73E143DC0BED723BE51B99ADBE19716637B2369E1F079591FB95AC7E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:39.716{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:39.716{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:39.716{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF3C-616F-1500-000000000502}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:39.696{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0659DCE6812707721B9F8C9962B7036E,SHA256=4CEC9B9F986A757D5B2854CE76B43BD97FBC7029BA8326116B0237F7FD60AA98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:39.210{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62046-false10.0.1.12-8000- 23542300x8000000000000000369753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:40.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031202522A7740D6C17475934E9E3337,SHA256=CA30D675E219E580BEDB939FDE29463668A0560EB7C86840A79CEADB0FA3D075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:40.698{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989175CD53934CB2C218E9CE58073461,SHA256=41A95C5DECB28FFE2B5C070BFA1016DC79ABB0F0E81E32CDC862F4DEADE54D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:41.840{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC48BA1EC4262332B34C8C567202A96,SHA256=451BA9D3841C3E48533670FE2F461C03D4A15267A96223FFDC6C3918229232E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:41.716{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3EB410FCA2A5216D6FC56077949B3D,SHA256=961521D84A7208F06848E0BE85328CD3DAF8336C58A80D9E9278FDD703A5DFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:42.856{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356982956E9C062BFD1EF97085F4245B,SHA256=43E3C549267CD5FE849A431243DA77A6E997BF772758B5376AED32C0D173A4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:42.717{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4BD5E0DD4E3B84DEED5B81C06FC21,SHA256=52D90FCD1186E67A868A84C53A5E62393E4E5DD2784C569A0F88485DFF2FC56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:43.856{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88C2958DF229B6310479FEE2B1158F2,SHA256=0A838C45E460D4CC68E3EFC8EBD7FAAC09FCDE6C75DF4972C20409D4F0DAA7A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.902{8D4DD44E-C6A3-616F-9001-000000000502}45325856C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.902{8D4DD44E-C6A3-616F-9001-000000000502}45325856C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.902{8D4DD44E-C6A3-616F-9001-000000000502}45325856C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.880{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.865{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.865{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.865{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-C7A8-616F-BA01-000000000502}4508C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000424421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:44.277{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62047-false10.0.1.12-8000- 23542300x8000000000000000424420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.730{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104D7FFF71EF3E44A18FFECA9CA1AE6A,SHA256=C2F8167B0F4BE886690903F1B2472CE8DDEFDBD9B352D90C3B0493607CCA17C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:40.118{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53405-false10.0.1.12-8000- 10341000x8000000000000000424419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.715{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.715{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.715{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.715{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.715{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CA3-6171-312E-000000000502}4380C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.715{8D4DD44E-C6A3-616F-9001-000000000502}45322476C:\Windows\Explorer.EXE{8D4DD44E-3CA3-6171-312E-000000000502}4380C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+284443|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8d0|C:\Windows\System32\SHELL32.dll+16ad4e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000424413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:43.631{8D4DD44E-3CA3-6171-312E-000000000502}4380C:\Program Files\Notepad++\notepad++.exe8.17Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\3.bat"C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=2225028BE77C99ACC45E1D73E96A4DC7,SHA256=12303C1E166F1853A9A4ECB0AEC4C9AD33085F402A9B554A7FBAC790662DC30A,IMPHASH=F9F6B2513659CA33565D71507191ACE9{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000424431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:44.732{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3995B02DAB5E8BDA8B05D40FAE13149E,SHA256=2B6072E9CC77E0A67EBBB3959381FF4D5D88533BE292060BE8025BE4211E5626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:44.872{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA3609C662F4799FB91816A4D78FF8,SHA256=04780D5074EB64E870029AD496F578059BB826C54CCCFC52F5CFE0B374BCB536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:44.778{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:44.632{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAC5B29391FCE195BD65C814E4032BE,SHA256=CED2FA8AFD46B5568F19B3072B6AC4A413CF199CAB0E2CC6A8F3222F008DA42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:44.632{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A7817BE39A94A6F1516BFF6EC2535CB,SHA256=4787A95AB2A2866A97244F272DF5629D551D4F3A87FD14BD1FA3CA64B445465C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:45.872{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D10A3FFE1150564B1D1C30967BF24B,SHA256=5ECAA0F647005293C6C7C29E0520B09B3DC4F7A914BE380B3C8489DEE53E5BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:45.747{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076085E5D42D80468B7CC1F661DE6BB8,SHA256=FBD7DAA451A82D2D9A11B576589A1C6C9938F6EC632F90D2C14CD2B7C1D8FFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:45.372{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA05B9CA49AEE5D37900ECC1CDF1117,SHA256=3D392C80DED09E94301FCC1403F0F6FF0CEC8D02A312C630CB2421A17E820667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:45.372{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=616E33398DC06FD122261A15675C0D1C,SHA256=9EB263CD3CE80DE43787E77E069D98F2EA334FCC7B7A0F6BB53733176146C683,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:44.018{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-24488-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:46.872{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4F3B331CB58BB4DE073A32E537FBF3,SHA256=C3FF8EBB3CC23D7452C6A9F97CAFB6221AA10B96CA2D90DB644274CC9A4047F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:47.183{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-27616-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 354300x8000000000000000424435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:46.521{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53406-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:46.777{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D3CEC23E78A1E587F93E82B48C90FD,SHA256=EBBA144274B2D405F8E3F64645061077A9F804300A98DA80687661BE301E3A54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:44.370{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53406-false10.0.1.14-49672- 23542300x8000000000000000424433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:46.115{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEAC5B29391FCE195BD65C814E4032BE,SHA256=CED2FA8AFD46B5568F19B3072B6AC4A413CF199CAB0E2CC6A8F3222F008DA42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:47.798{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D57928BE47CBC9C49714B6EF539F06F,SHA256=DB4391F29F099CBA4D51BAE106DE923D232C8F086658CBB9866EA8B1D2166763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:47.872{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0616D95AB9F7CFAF04FE465AAE39A82,SHA256=BD7A3B35C8B8B7D361464E95D8490B594DBAE6F913C8E058D7A5A3E0C111CAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:45.195{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53408-false10.0.1.12-8000- 354300x8000000000000000369766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:44.774{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53407-false10.0.1.12-8089- 354300x8000000000000000424439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:49.390{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62048-false10.0.1.12-8000- 23542300x8000000000000000424438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:48.812{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567F455E384A591E2528703E2D18AA4F,SHA256=2FD0C703ED2F00C982D6A1B03113AD65685068B338719DC381A7B557CFE76297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:48.872{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FDF1AE0E8522B8399FF79D8F8A6045,SHA256=017F9B485803F8173DF1B79357F88676BA2B3B6B958A65EB819048DCC695C21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:49.827{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5ED2F8B4F03D218CD9E9F1E5C1936D,SHA256=F5E0D6DD290B9A888B3448154E5C36456B58126CB7819C6E0A3B7CAB4401E2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:49.872{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006E32367857AF6FCADB912AFF751D9C,SHA256=AB265C2598A3F1C75F95EC45489BE42016AC2BF3E78EABFEE6228DCF14D9530F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:50.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F7B791742D2B63A31566D7B4ABA0C8,SHA256=6926489EDAAE2A51EA9C06C38CF6FD66FC97B4D4E40E215FE195BB879707CEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:50.842{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB2AB31269B4D7096170C872210DB52,SHA256=FE9207D38746158E5CC4C4D5D09C33DBA4F8A6B93672B2375385AC9795C9982E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:51.842{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3849B65D7A73687A53593AF244CF82,SHA256=1B89EFA6823BFE33B645C5757F29980A88E27062189F833FABF670722287E569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:51.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FC95D4427E6EC3F6D9E6E04497451A,SHA256=AA5E17FD32FE6F2F7FA73E39307D251538B85108DE7308D72797DB2CB424D411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:52.873{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB913DC03745632396531A9331F35B74,SHA256=C03195333BA2DBFF2947291EEA646714ACD67B931B4C12190FD7541FBBDDAA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:52.887{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E666E4583A96FAC0E60589F5D607D42,SHA256=62F2E2A550344F839D4E90E74B03E02710E49812F86BFDC82B9D4E5B5EA70368,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:51.070{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53409-false10.0.1.12-8000- 23542300x8000000000000000424444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:53.909{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF681D49CE2AAA4BAE5CC7DB2D7AFCE,SHA256=9D665ACD3BAEECA087FE550931267987C87FAE4F8C3B9EC449B630902705621C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:53.903{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C4B94D4207A9171A4B16A25B24A78,SHA256=6ED0B28ADEFFA975822817FC6AF0F8CB3AD3B77B0CEF456288F6B54BEE1456F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:53.562{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1586MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:54.917{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F1938F79277466FAB4F32ECC5643B9,SHA256=8135C90B4961EDEDD635539B0B72D1CED63D4CBDC88D91CC0AB8A7EE2A76BB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:54.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC860A6852EF045F77C1A0C45F9348A,SHA256=42573646576211E1CE81C59C98281DA08272BE1E8854894AF3DB2215D91C0EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:54.640{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:54.640{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=AAC4B5791EA1B9B6D177D429861D1203,SHA256=BBF12DD9170050019B4FF6BF852D8B3FF04F0137ACDD378CEC517F14482F8B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:54.576{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1587MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:55.919{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0293835B4B058EA086EB5579F67F2FC9,SHA256=AAE0C39930E949B92FB92FC72BC61DCFB5771504AA45DD89E885A43D8E703306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:55.940{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F67BC06D75505018B1C98F638E5C83,SHA256=B9AAD1C07BB47F2220B7A3D20E319D1E34E877CD78E5BC7B3C5EA6C2F4EB5E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:55.252{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62049-false10.0.1.12-8000- 23542300x8000000000000000369780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:56.919{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1097F8250C277D2A6053F4B50A888041,SHA256=D3A21EC7A6D4AE43861ABE9A63F39C5E9ECD41184C49BFF43371C6158FF69160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:56.970{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3A7299560B4FE2D254E3EB4DDD5F9B,SHA256=A3F2E10EE38C4756E559B963AC6F666BE599C3DED9C307372D6FC81E832DA9F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:56.165{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53410-false10.0.1.12-8000- 23542300x8000000000000000369781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:57.935{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912B627E6CBA4D2A91EA75D756F94F9F,SHA256=7B086EA4CDEACBBBFD3C3BDA735C0FB247E2F1E6A6BEEC37132DCE8686D765A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.991{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F4FE49DE10ABF4FEC1B2543D753B5,SHA256=71D00BF94841BC6B7A4A6EB9A17A5D3E397133F2BE422A9B88F6A0818C5B7579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.608{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.073{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local51816-false10.0.1.14win-dc-185.attackrange.local53domain 354300x8000000000000000424455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.073{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local51816- 354300x8000000000000000424454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.073{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:100:0:c820:5ce0:c6:ffff-51816-truea00:10e:6554:0:f89d:100:7054:0-53domain 354300x8000000000000000424453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.073{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local52888- 354300x8000000000000000424452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.072{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local49165- 354300x8000000000000000424451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:57.072{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local49165-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domain 23542300x8000000000000000369783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:58.935{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBA65784E5D7C621ECA53FFE34416F9,SHA256=D441F20C11C94B06CAFB6498FA96A58092A8DB184DE3DBAD6FC3D9B3EA6E2F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:10:59.951{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550F36B68E25CF1297E50FAEE07DF8BD,SHA256=66300327D434DF4731E65EB59DB4C2A8362AEB352E4BA951ADAFBE012DBF726B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=38C1C984216066D7657B746C8A97F0E8,SHA256=2839156CBD72E6B29CFB8649D17AC5DF8847D3E88392655E2B81AFCC9E4A0236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=7F9F492805D4F8F45FA5778DB109557A,SHA256=BDB794EC227846B2024ABAC290CC440ABE07F52C3572085484FC44B8B869C484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=9CCF14066A4028DB5D4B7F4E46A0A706,SHA256=460CF24574201C50FC73AF46C9B591749F2EAF74EC2E8165EDA059A5B0FB0515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=53FA798EF2A5D9CA724F8B27E41316A4,SHA256=60F5E26FADEFEDACC744D7CA00DE64D5911EC92EB6FC768CA1D9DD14FB79C124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=7DA6DAE41A8527F648072B79CBD7D734,SHA256=FEF0F5BE5860FA10515864CC8FA6F3A48F738C74353372941D71F4D4F4098221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=7E4BFFB9AB27F7CAF6C11EA5F09A7DDA,SHA256=4F4457F54464A95815F0B3E1150A95D6ACC49BC6FFA7F7CF23DEB7ED790E4726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.707{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=4F78AF4AB3617A28415069A9FE7F3672,SHA256=A4F23DE579AFA15EF724771B80D0E5F10939A21AE668F268CEEC6E32D18D010C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.752{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62050-false10.0.1.12-8089- 23542300x8000000000000000424459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:10:59.007{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BB54E05516B6CE5ABFCD30A8300886,SHA256=49B4103505442ACFBCC59250BD44790C9E8147AE1E5478A18FB81A2249939372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:00.966{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066BC4CAF76A78AAD133B5006655EF0E,SHA256=E2C3BE244B66048BFEF47190226807BA0491D06DEF8AD2F2DFC6FE770D14909B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:00.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=843E9EE2F45E55FBAFBDBF55591DCC82,SHA256=59C6F87F6C6BC21205DDE3289373002D7771A29FEB1EEB118D18560F2E2A1390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:00.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11A7882FA7F4142182D4A18EDBEE4483,SHA256=B6BF06BB8339A11F6A726BBC3B8EC0F2E035F27D6CDFF1863796516BF2283847,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:00.350{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62051-false10.0.1.12-8000- 23542300x8000000000000000424468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:00.022{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB475E84724D87BE5697F845B0E4CE3,SHA256=46F5E9B37C84E4D4DD1526459AFC89271D65263400177BF6743281F435F66AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:01.966{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB7473EC41CB972FAFACC947B5F77ED,SHA256=7D01B89D7BA441A08BB46E32DB538AE87468982123FED7EA7EC81393553EC319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:01.596{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-3993-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:01.037{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7DFA682A71FC11F573C7E80EAE8005,SHA256=95B9C1E4EC3FA9003B2CB7930B00194C3A19EA8B9AF627447382CD15B1FD95D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:02.982{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B3DB24F433D8EFD62E272574BEC5E,SHA256=B37E76816DC5BF4F95D619457256854C631CAB4BF2C18530A8C721A6EB4F8DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:02.067{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5BEBF44DDF6204BB8C5E745FF51F29,SHA256=39DE0A08F39E5358FA12AA6C68818A924356E8C5E21E8172E527C213896CBC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:03.982{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D194726D638E129D1BB4F41784FC2A7,SHA256=BCDFF441818CAF8906AEEB7D2574E952B1E7B371C8A9DA13565829D465A90FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:03.068{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021CA19242397A7438E2194D5531675B,SHA256=501A9B6F6702A6F505C7ECFCE4366F20BDFC2128DD4E20E3D9311949DF6EF1E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:01.196{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53411-false10.0.1.12-8000- 23542300x8000000000000000424477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:04.336{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=843E9EE2F45E55FBAFBDBF55591DCC82,SHA256=59C6F87F6C6BC21205DDE3289373002D7771A29FEB1EEB118D18560F2E2A1390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:04.086{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC13AC6D25652E459177CD84257CC8,SHA256=E86FBB061DA55993ED17338BE421185586DA7EA1B93CF350302014FCB17435C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:05.483{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62052-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:05.483{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62052-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000424478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:05.136{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F411C0E352ECB7B3695992175770442D,SHA256=56228FBD83FBD83D3770C9877EB3D9BDC68F6CE5FE676B6CFF45A4B6CA451180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:04.997{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B1974EF38C9237C87CADED7EBA4FE2,SHA256=84FBAB12E5DBE9F30E45A25C2918A43BB92FEA0F68206CB19832F59626622B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:06.197{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62053-false10.0.1.12-8000- 23542300x8000000000000000424481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:06.151{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E9BC62C59DAEBB794227B266F4E96,SHA256=0CF023AD41B1D9D0941EEC699CBA1EB9FE6B8BB8ECABFF2C4CE75A05FB343400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:05.997{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE10613BD00FC01690DED3F0D47AF5D9,SHA256=9F1F382757B96FA05651E180F2E186D2CF01CA04932DF0DAAF998DA927A87FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:07.166{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753C2F6F0528FC72D4033150FC830261,SHA256=DA4D4B22AA7DC191613B7F59CCD7A30F381C2C9268FDBCBAC06034749804EA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:06.997{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F724A2D559543901CE21E10CA12DE03A,SHA256=58FAE1420618BB5882C791E8B0A97211B6DCB0D0C6C639430C5311F39412CA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:07.150{8D4DD44E-C7A8-616F-BA01-000000000502}4508ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\3.bat@2021-10-21_101051MD5=0C0BE7EDFBCEBA65C662BF3AA9E4B5F9,SHA256=C9C70B059815702825302862B5EE4581FC09927B25DE58A83CE479306CDA0414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:07.997{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556BE0A378938B25ED2A7521E020C7D3,SHA256=9B1A2F2E5C1FF8746C9821E75F3A54C9A853ED35908990F9992B5CEAA2E8E7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:08.177{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7869D9986DFD918BCA01B4A97CB2A80,SHA256=54214553741D7C298D4D86C4DC5289C4F1F287BD64B51D82A0359FD8D12497EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:08.087{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1586MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:07.181{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53412-false10.0.1.12-8000- 23542300x8000000000000000369794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:09.232{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D580916EED6FCA4537A97BBD6730C0A,SHA256=09B2AAA59C177DF775880E2AA5C725AD176BACB75A47BB5C02D29A4F8BE1304E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:09.203{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207B01AF98DCA0DEB9976D20C6D1FFE8,SHA256=E4495DAA1615C8915779E1AD35A8E8E609D6F2AC269A34CB5D00BCADAA3BD09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:09.104{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1587MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:10.247{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89E5F0B9A6D631659150A12D809F05C,SHA256=23C4A3AECBD7C06B6FE5857BCAEF90CBEBA1C19345B6A660A82DC393BD262824,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:11.293{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62054-false10.0.1.12-8000- 23542300x8000000000000000424489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:10.233{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2B079A5328E2A54B06026648D46327,SHA256=8607E62EDA8DA75EC4677E4FA380068C92D5D61E9A3C009E610B0987B6A62D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:10.191{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53413-false10.0.1.14-49672- 354300x8000000000000000369800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:09.719{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-26814-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:11.310{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E55A3A3A7FE813518DA4284B9521AA,SHA256=2D13C7150B4A03B1CFD29BEE95F5762573685BE8A3F6AA79C82C140FA7348A77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:12.343{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53413-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:11.248{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C68ED5EFB63F7C97214FACD83C5809D,SHA256=D1FD999AA0A697D93FBDD6D5FAEE405937984AE1FD3DF80F580A6A0774BF9480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:11.169{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF246F6A8955C7D3E7B4DA4F8B565577,SHA256=12362625A83740B6CDADFEC91851441D79C04A6E70907077457A1027F95933AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:11.169{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA05B9CA49AEE5D37900ECC1CDF1117,SHA256=3D392C80DED09E94301FCC1403F0F6FF0CEC8D02A312C630CB2421A17E820667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:12.341{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10B7CE0873FDF82D195F650AAC51E18,SHA256=680ACD215BD288E5D04984D977D0E1CFBE49852B6F83C5D82EEF553C659BD3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:12.262{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E83FF03DC3AC8B507A1029B3BC4644,SHA256=8C33DAD4E0933BC54F72B9BA4389A42940AA31F6AC15E965757D36804F184FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:13.283{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E47F41A5EF3D2948E5F91630D979BD,SHA256=178EC4E8C2296F1F27DC3FDC6EFB81CC083DFD770BF26C052CCAD1F01BD6F3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:13.357{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3999790284B5DD0751CE9C9BAE8DED,SHA256=60F77A0A5FB61735F0DFB7DE2D1C4AB90237DFACB3FF135592CFE16CE8BE5BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:14.357{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA92133F75148AC9214D8A88E3AD9248,SHA256=B696935F7E2599564AE7792501EE461FDEEDF858FFD004B4E8E3C65E05D24CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.314{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB390268F18C6BF7906C2AD33E7409F1,SHA256=86916CCAD5B5FB3D9A65410BD1E0FA598B20ED6BFF76CF5F1EC8DEAA06CF5BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.282{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=134F169041DEE664C64A16748F1D6864,SHA256=CDBEEB3508AE49D7E03AF4E177CCA863D7C23D5803D6EBDB274F42CE8C8C568E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.282{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=1A3C46889EC727A93F131032BBB57BB4,SHA256=16214EE0B7AD3D91F8CBE34887FC664A5294CDFEF2A8A411B5510D4C21B53F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.282{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=29B400E82CCFD32BE5437F903512BC9C,SHA256=85C72B016D0A80AC8980D24234A3323F458B8BC3FDDE654D94E77E65A0AB4588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.281{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=C9F7A092472BBD68A9A261B90C0FC6B3,SHA256=F4A5626FF9455E7ECEA608F2D3859AA6DE2347BE7A2FC143DAC66DD86DC4B1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.279{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=77C2BC8B2564E8893629BE383116F135,SHA256=932194D68F51AFB73FDB1B99CA7113F87D048B2D0A2DEDC7EFF160D77B46F54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.278{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=24346EFFE32B106C5B407BAC6EB727B5,SHA256=35B277D77B81EA08FEBAEE90CD6A4910242BE6AE02EA9CE99779DE6E2A236C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:14.277{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=9EA32978F26C3F49C74845958360522F,SHA256=216807A219CD9141F1F63A355D0C46A0901CF851AF4F8DA74F5FEF008FFB1395,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:13.056{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53414-false10.0.1.12-8000- 23542300x8000000000000000369805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:15.372{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97DD3D76355DD60DBEAED4FBA6265B6,SHA256=6F35E99B3F3D08AB47F642ACA9A72EE160232313A15E117E57330BE03E091F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:15.314{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5738A4BF335D26A67141E15CF741D3,SHA256=0A3209C33B9142C070843868FF967D51992F3D7470897B8DA5967E8F5AE0DBCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CC4-6171-392D-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3CC4-6171-392D-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.825{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CC4-6171-392D-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.827{6F8252D3-3CC4-6171-392D-000000000602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:16.403{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727DE63F0623D2A03331411F8EAA12CD,SHA256=46EBD1A6E148CD8BD6AAA280E4D2381C51637E8299074337BC80579CB9DA5D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:16.337{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62055-false10.0.1.12-8000- 23542300x8000000000000000424504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:16.329{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD65F3A9323EC5BED79FFD4385CD55DC,SHA256=0D695749F693CAE045B56868767345A3980BE60874996E7328AE0B5A56D550D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CC5-6171-3B2D-000000000602}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-3CC5-6171-3B2D-000000000602}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.872{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CC5-6171-3B2D-000000000602}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.858{6F8252D3-3CC5-6171-3B2D-000000000602}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.841{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4A4EC3F31E488318F5919EEFECE8D6D,SHA256=C68ABDA6B9B61A82FD6F78A123CD208A11DC8BFD8A42432697911F702C8D7FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.841{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF246F6A8955C7D3E7B4DA4F8B565577,SHA256=12362625A83740B6CDADFEC91851441D79C04A6E70907077457A1027F95933AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.794{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF68A2BE51C1625163880C5DA10613E0,SHA256=67EED95AE2E1BFB2E1C5DC2C12BE798B423F2BEB116B740E62D7520590256FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:17.359{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EBDF4464018E851B7DA62EAC5206E5,SHA256=D3A69A2FB328F13DA35FA546EBC0B36C4C3D5CB420EA75825149A1F721F70135,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CC5-6171-3A2D-000000000602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3CC5-6171-3A2D-000000000602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.325{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CC5-6171-3A2D-000000000602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:17.326{6F8252D3-3CC5-6171-3A2D-000000000602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:18.380{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724076B45DBB4EAD835F2732C946AD87,SHA256=7AA89C0B182E81AA027FC21F27A9B6A0F2B714766C45DA212175BCF8F3EF2341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:18.950{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4A4EC3F31E488318F5919EEFECE8D6D,SHA256=C68ABDA6B9B61A82FD6F78A123CD208A11DC8BFD8A42432697911F702C8D7FF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:18.106{6F8252D3-3CC5-6171-3B2D-000000000602}7283160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.395{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5278E81F1F21347379CA90EAA659D6,SHA256=921A256E7ECEE51C7D51D6A8D026FB1EDC4335538761CD03D689508081B05C35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:18.133{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53415-false10.0.1.12-8000- 23542300x8000000000000000369852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:19.013{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D295FBD0ED74600867FA64D433F585F,SHA256=76418F3C70C21A1FE3CF4E83E0284976D1640961019E4416743D705EE93EF0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=DF23E30525098A33CA0669C379DB6D9E,SHA256=435AC30EC8767628ECCFD82C9FE112C9A4F10AA65A7E69DC375FE9BA848F56A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=1BF3097E068666945F49706E0D15C40F,SHA256=9280B84D92AFD6352816427C93EC443C2AC6E9095435EF450B55360E4F5ACACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=2ADF8BDB067978A34D3617C07FD04F71,SHA256=9C8AD5FBE28652AC7569181101616679EB431D40B24C26B9395468C1D13ACC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=654FC87655382073D60C9F6B725750A3,SHA256=4449208AB1FF97B91DDAA42077984FB4247580BD5CAFC96B034D61AE233E1242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=D6993C26D6558B0C5F57E1A672271B63,SHA256=7802942034841E0146725F9361473B0728BC7FC5F5F24B16756C98ECBA85159C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=B6F129EF218DBC330834ED8CA7A69079,SHA256=44E2C123FA8105E4AD329028AF79DF9C06ADB0D60929FFA85FC29EA11B3D6AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:19.295{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=2331451EEA4971D495E3B90D49328783,SHA256=159F7527356811E2CCD4EC8635A2F45096D5EAA9F9BDC8C07B958BAE51013C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:21.419{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62056-false10.0.1.12-8000- 23542300x8000000000000000424516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:20.410{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC31ED6904C2FA64F530066E0C7748B,SHA256=9CF9D5B0D16DEFF557665DD7EDFA80EF3FC430D67DEE6B13C29C4766F7211DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:20.044{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D808DD6A4A158D2B7041FEB3D6AA3CF,SHA256=AF011673B4F918616485778B11B72BA3348973B6C5093D9839C740788A7C4F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:21.424{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB84929A407CDCA955EC9FEE47887665,SHA256=710562DA79E7CB327DEF695C0EADD4CDF75860C21A6AC3F8CE51E8CC48D92FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:21.075{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51543F8A9CF2891C46DEEC2E1F26A9B5,SHA256=D8A561A0E80ACD162F3C05ADF11B7AC78540CF80D1FF7C080EF538658C481EA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:23.666{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53416-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:22.439{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB916E9E8E4B5818D4CDE0EE277C2DF4,SHA256=8D2E79E4564E8E047E2EAF5FC5FD6FF0990DC2E438713AE374C40FCAF12779A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CCA-6171-3D2D-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3CCA-6171-3D2D-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CCA-6171-3D2D-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.841{6F8252D3-3CCA-6171-3D2D-000000000602}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.513{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=562C41FF0BD26FA6F04DABBAAE4C1C3B,SHA256=5B9C08B57988A73F2DCFE5E2604EF2D51937D020FDD2828CE81D51BCBE02E818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.357{6F8252D3-3CCA-6171-3C2D-000000000602}2123244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CCA-6171-3C2D-000000000602}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3CCA-6171-3C2D-000000000602}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.169{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CCA-6171-3C2D-000000000602}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.170{6F8252D3-3CCA-6171-3C2D-000000000602}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:22.075{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C94EAF4C105E83E7A52F80EE688782,SHA256=47FB65CBF09E7FD47D694014BE0A5BB6388E805F58CA33F1E78116BDA1EDF362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:23.472{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B191E9F506FBACDEB9A0C28719FED5,SHA256=A60456699E4FCA737CBE64E35568F44AAB75F30CD38EBE0835E6621556B77620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.934{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93D8A25DD90B3652FF64EFC2B9EA22ED,SHA256=29C63E9333C7F455D129F0D79CFDF459C4A74F7B0C112DD75D987276338F3600,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.513{6F8252D3-3CCB-6171-3E2D-000000000602}37003096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CCB-6171-3E2D-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-3CCB-6171-3E2D-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.341{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CCB-6171-3E2D-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.342{6F8252D3-3CCB-6171-3E2D-000000000602}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:21.259{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-56764-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.169{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A5C98087CD69C40F09C86ECF063066,SHA256=F82B514AC678AAAE4E171068946859999E2CD11E23DC8F3B438C05087AFCD158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.075{6F8252D3-3CCA-6171-3D2D-000000000602}1000936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:24.490{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB08C426702E68ECEB56CAA70C894CC,SHA256=E5FE17A7B2BBF8AFA4AA704080B32DA80DCE1297E1245C01E2471AFB4463297B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000369917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3CCC-6171-3F2D-000000000602}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-3CCC-6171-3F2D-000000000602}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.309{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3CCC-6171-3F2D-000000000602}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.312{6F8252D3-3CCC-6171-3F2D-000000000602}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000369904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:21.514{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53416-false10.0.1.14-49672- 23542300x8000000000000000369903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:24.091{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB21CE79347D7833DC9BCD3E06E82D1,SHA256=809C072A7F3F5425726DF57DD34D8166742DEBA663AE36607DB3225529C38FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:25.553{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9809D6C3014250851F47514B2EF86E,SHA256=9CA13D0DA046C9BC1E8020F0E71EB9914FDE59D6DA17033017468A0F70CD3EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:25.309{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F76AEBF91DC73C850DBE2103F5BA10E,SHA256=F7C223E031494E9814167B79F59DF345F72DE46BCAF09261C584B84A43B1E526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:25.091{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4BF8B04DE42839292CA52EB2960085,SHA256=AC70270E294686D49074E3F465A5CB0EB17251FD8C3013EFDC904D9BCD5B59D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:27.284{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62057-false10.0.1.12-8000- 354300x8000000000000000424527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:27.158{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-6955-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:26.589{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30FE976B2DA7E6B298969F970953D561,SHA256=89E671AD19D46F48F59414EFCF30CE2D3815F97D15E00479E883A6F6FA65E0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:26.589{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BAF5017C295E7E205F692BD492255FA,SHA256=3AAF62E1B41D63F473635EA5480193C54B1833A5084496826771F6EAE2D191A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:26.570{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2429B9DA1B5BC2F3DB200B843F746E0,SHA256=81CED433AD98B358259F98B94761BD517F1B5197E04816C4C88C9E2514855283,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:23.227{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53417-false10.0.1.12-8000- 23542300x8000000000000000369920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:26.091{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4527F5D45AC1A8ECFB59159B21541046,SHA256=4CDBC11243B85E1CE160CB09B2009FC3CE8B6F2D6B4D9403B771884417F2FA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:27.589{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29560EEFDC75D8E27F75BCC0020ECE0,SHA256=81F5B13A34F45E78ADF7A1862235D5FD229BC3480C9EBBBDBC381C1BE1398A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:27.091{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEA66654A6C8112180599046F43B442,SHA256=7F34565C4BE4DCEDF8AA00AC05A7C44896D56048E362515D229EF94C3EB50568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:28.603{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE5AFD70CD3F5D7575ED70F4AFD958B,SHA256=A02790626FA10B75A3725460DC4B1D8614437E9078D97643D0AE67EAF61C7163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:28.106{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1C667EEE5EC1C3CDB509EF758EBC01,SHA256=D096F484CE210EE2DFE7A0CC75269BB98C57871A3BD22CCE2E18FF18917311BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.634{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C475A852F7111ACF96CA6EDABAC2FE,SHA256=ED3A5BDD2167ED6C11EE961EBBD38858DCFFA7D453A4C4EE6E61602069355404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:29.106{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D333C55EA0B919BC84DAAB2A7D16B08E,SHA256=C117BAF05DA2FE1168BFDBA58B7106BC01F16B84F68A1CCD57168D21D6221B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=2534EB280942F1DA257581B66A070271,SHA256=8C1B308CEE2ACC1174645DDD1705DB4B744AB41A3BC9B6BEAF080D74F441ECA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=AE282C5A997C06591E082389EB52EBAB,SHA256=9C6CECACA88C1A6CB8DDAB7B40D7E36F0BEA5587B8CC13B7BF8D62B3404E2A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=23EC69CF858AF6D19887BB9CEFE3DDDE,SHA256=5B113FD5A58837EB3B150C00DDB24D6310117F14CBAB91F725D00940409D1EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=D4267571BA7805A360EF5D718C8A9AB1,SHA256=809BC7ACF9D99924FB75411642A4E384827C6476E7BDB62633F1243306F3D214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=596757CF5686A46A7BADBC025D922A6A,SHA256=F6F4D562E6AE469CB2B02F78458AFD99011C3D6942F3FF370761BEDD24B9C587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=C951B26AC000C662931BC2C6F9A09E2A,SHA256=114D64CEE463FA27794BECE3F479263788431894A723A18D067751880A95F28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:29.334{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=41090A046F85C9DAEE27479398D56C1C,SHA256=5F2A6A2076183CD385D559C852D647E814E396FF3151EC9CF8C0371D39698D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CD2-6171-332E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3CD2-6171-332E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.735{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CD2-6171-332E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.736{8D4DD44E-3CD2-6171-332E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.635{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E2DE023F13B2CC4EF9906B3F076D0C,SHA256=AFF2141963291B4F1F4F7FDA1244C3A8B27973E904DD884EF3BB3C91A3D5AFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:30.106{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA4128E735C1AC76D198EFE3E99E191,SHA256=97872EF9C9E9CC21839C6A35F0D6CB3D80AB106E79AFC4AF55C6D754D46F55E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.086{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CD2-6171-322E-000000000502}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.071{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.071{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.071{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.071{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.071{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3CD2-6171-322E-000000000502}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.071{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CD2-6171-322E-000000000502}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:30.065{8D4DD44E-3CD2-6171-322E-000000000502}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:32.381{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62058-false10.0.1.12-8000- 23542300x8000000000000000424566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.649{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883E8F2F15A010ECF0ACA5DCB5F724DF,SHA256=A0DB95E079951673885AFEC3E5A335C739C7BA461C809115DC102B354B27A85B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:29.055{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53418-false10.0.1.12-8000- 23542300x8000000000000000369926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:31.122{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2096D24291BE09DDD300CC4E186A02C0,SHA256=2D0C38036FC5BA00180BA698A6EB4C3A9DAD04E7123E6A0E22A5C9CBCFAF437A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.502{8D4DD44E-3CD3-6171-342E-000000000502}47566104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CD3-6171-342E-000000000502}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3CD3-6171-342E-000000000502}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.334{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CD3-6171-342E-000000000502}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.335{8D4DD44E-3CD3-6171-342E-000000000502}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:31.087{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30FE976B2DA7E6B298969F970953D561,SHA256=89E671AD19D46F48F59414EFCF30CE2D3815F97D15E00479E883A6F6FA65E0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:32.668{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E839C51CE7D29B86F239E9E3B8EF1FF,SHA256=48B9939A90BCCF86E4AF2CACC874D12F59535A395D17FBD003C47A3AE91A5DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:32.138{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CAFA1C4ADF06246183E94A1892C98F,SHA256=97B78D46E6738A359830E9B38B4F0C9D0A3AEEC529E720CAD86B0D57AD79D283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:32.348{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A763AF26DDC8A05FB164ADA2F2D5D6D,SHA256=BC4B41F921FFA1C0B2D79652D7C246E0AF51F99FAFD31051A61BD43F6930A813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:33.684{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02EE5463BE3A231E6DA48F541A36DCB,SHA256=6A2DBA761AAA373FA3A5EF72735B520C6DD1F4060BEF5BB0A81BAFD0BC431990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:33.153{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3A8AF482DDE322E75EED69519483B7,SHA256=F2D1CAFD3C8E9F7A54F7E93AAC8F4C1666789EEC9E71D43CFBD4D6085FFDA46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:34.966{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=35077179F76C43FF25EF81B90BF57A1D,SHA256=10187BB5FD513B85AEFF71DA60E36605B890989F6A4727CF7AC6CB24C379E61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:34.699{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621963C73B5DC596D925F6AE41E94D80,SHA256=4C1913F59E47E24E18B15C699EE57B4840E77A27CE6822BE0403F71CE2CC61FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:34.888{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA5B720CE7C49F62BD570C996800B69E,SHA256=A678083A9829B19264227D2F2783B8701766E564C92256C7522176671284CDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:34.153{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D459DB685E383859EAD179587A5128CD,SHA256=BD615D76180DA55A167114EE5C20A87887BF38011B42100A2B7A0B23D7379E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:35.699{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DCA9D90D91ADF751C3A55B25B566B5,SHA256=A26E42435942E0E40A4FB5DED964944D5A7EC54A0F7758B7DCD3B3FDF3255D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:35.158{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A32CFE3EF4B3E407632786716F10E76,SHA256=937044AE2093892FA1B48372409629E0196AF70EAE55C9B84772CB2D081F6AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.713{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B825E6E64BC5A3224A84EBC56306DE99,SHA256=DB64E39CCE2517D63551FA42F96168DF514ABF1DE9A2C116D7F9D6D2B75B01C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:34.102{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53419-false10.0.1.12-8000- 23542300x8000000000000000369933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:36.158{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42257BFD4BCFA11A197F95818E7356DB,SHA256=2EE020B078F4ED90EDCA81CE06218A87382DAD4C9BCDDCD868DD93E8284108A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.529{8D4DD44E-3CD8-6171-352E-000000000502}45841232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CD8-6171-352E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3CD8-6171-352E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.345{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CD8-6171-352E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:36.346{8D4DD44E-3CD8-6171-352E-000000000502}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.944{8D4DD44E-3CD9-6171-372E-000000000502}1362012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000424604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.223{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62059-false10.0.1.12-8000- 23542300x8000000000000000424603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.728{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D49C72959E6185B733996086229F4DC,SHA256=D0B0FC97C4CAC9412D250DA27042B9831E0BEF126DA6AFFC9875FFDDF58BA7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:37.174{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACAB6607F6CE718371E9F2970ED4C42,SHA256=FC14F06B4FD8BB8DD35E9A5A7A6F5C74D3350FF9954E353D48B698852DD62BAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CD9-6171-372E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3CD9-6171-372E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.697{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CD9-6171-372E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.698{8D4DD44E-3CD9-6171-372E-000000000502}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA3A84EF7EF6D69772D64F9505349C7,SHA256=659E30624FBAA79ABE5D763AE6F5D776F9092C7787F645E67B18C2920655173B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.412{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E5A13566F3CE46C36D0F283F5F08312,SHA256=923D68E9128084CECAA22C28868036E7486D990840F50ED675EF4414758FF49B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.197{8D4DD44E-3CD9-6171-362E-000000000502}47044216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.029{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CD9-6171-362E-000000000502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.013{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.013{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.013{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.013{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.013{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3CD9-6171-362E-000000000502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.013{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CD9-6171-362E-000000000502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:37.014{8D4DD44E-3CD9-6171-362E-000000000502}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000424616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:39.787{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-34006-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.796{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F366C63573FE5CC8F91888EF2D0E57,SHA256=9863356F303AD976A6C007764D2EF70390ADC0972C8FE6CAB6A4B059FBD97353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:38.174{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FA8498A9B8BB7D13EBF627F36C55F2,SHA256=F60517F76188559FE5E4A604986795136C226D73B535494B7E79148CB581CD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.727{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA3A84EF7EF6D69772D64F9505349C7,SHA256=659E30624FBAA79ABE5D763AE6F5D776F9092C7787F645E67B18C2920655173B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3CDA-6171-382E-000000000502}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF38-616F-0500-000000000502}416764C:\Windows\system32\csrss.exe{8D4DD44E-3CDA-6171-382E-000000000502}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3CDA-6171-382E-000000000502}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:38.381{8D4DD44E-3CDA-6171-382E-000000000502}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:39.796{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562FC03A591DC68B732B82753F40E2CA,SHA256=B8D5EFF0D61760ED3AEA6DC3EB438AC51FF81F12015E5B62B2DFC17F8E2B1046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:39.174{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38C8B2E3C497B75859E9D1AB77A94CF,SHA256=16F9FF08C58F2098257569C3DA0FC7D47BD1B9CBC1D4D5DC2A9498B2B4008A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:40.811{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0191F003A3C325685F51A4165A91C259,SHA256=37E8D2F28AB03A5A16AD54528461F6E0B76DA248CB80472EFD280570D06E11EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:39.185{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53420-false10.0.1.12-8000- 23542300x8000000000000000369938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:40.174{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5ED7E09CF607664912FEF38E491F9F,SHA256=A8BF3DB03EFB5DA75B5839CA7C0C0EBFBC2CB93AC596FDBF236309DB8A05E122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:41.825{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42D354ACAB62A058BD22D9ED6806BF7,SHA256=D70E39841418D938E10759322F16F9B7FC8037B67AFDE82E5C08BCB661510976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:41.189{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA30DF4D4E1CC8F9BCCA0573DFB3D96,SHA256=CFB8EAB70B18C2B4C46AA438D09FAE7289C51843C28CD475476AD2E04520602D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:42.840{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D511F742976E26C6BB168FF61EA4D7DA,SHA256=7E201742F46328115D1FA6201A811D3AB33C45C7B66AAEC9E68164FF0A84BF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:42.189{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC3B824D502919D33480DEF1E262C1B,SHA256=1B43F0D71D0BF0080CF1046A844C6C4D4A7D7DE690480DAEBB1EB5DF9188630C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:43.876{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6153B2B66EC5CE11F3D2E111987F30,SHA256=0E332CC152CB7B47D0E7A1E8E217B49C3EEF78E3B89F84910B507098A1C0A46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:43.189{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358CEAC3697B219B59339A74725B0CC4,SHA256=E9CA51637D518B52C5567729C62F489B95C0A5C96551E5C1811534CE1A771ED9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:43.304{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62060-false10.0.1.12-8000- 23542300x8000000000000000424623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:44.891{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69BFC0E221CFAABB38C901E357C6168,SHA256=DB2022536F3EC0504AF2325C5C711C1CD194592A3F481AC9A5482D8E5C420D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:44.799{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:44.189{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39950B36AAB655AAF461D0983F5CA7D5,SHA256=3963165E27C908CC1415E8E071F890E2DF6BFA3756036ED487A091C307E8C9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:45.906{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F7CB30E5959D8F65475622194EE34,SHA256=9ADB8A3059C464DFB3993414887D23042A2EFAAA32F863E3EE62920BACA62413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:45.408{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A600292E34E7008AD9B93D158D72E45C,SHA256=991CDB4A12FAED0397941A9A38020AEA4250D7FDE4DB5E3CE1B6B1668A9EE9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:46.921{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55822C7131D95036125DBFB56122D752,SHA256=38A99D54968A425938E5F8E952EB6DA31243A6BD3CEBAACA5439CD9D7D1470F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:46.486{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524ACB41468BB915B731EBDA82057E98,SHA256=3C68D184F4D9B81B6AB410866A5B4ACC92B687B297496BCAF7380BDC464230B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:44.795{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53422-false10.0.1.12-8089- 354300x8000000000000000369946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:44.248{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53421-false10.0.1.12-8000- 23542300x8000000000000000424626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:47.936{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DF46D77500BB30B5C3A63279AA2CFD,SHA256=C8F20C2C18E302917D80172168F2D7892CAE4B425C50DDD36F242201FC8456BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:47.517{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF6EB80D040E9FD453934D5C8A7D52A,SHA256=6FF99F732379DBE2EC4C8360D241634579CB44C9D4A4BBFB3F461B728AE80981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:48.972{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F64A5C7E62A35C4FAC507504732385A,SHA256=3769230877324C2CCDA1909E39A3851E7F48AE2668D3BCE7313019B8A50D5001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:48.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4E72C971C9097BEBEA53486CB8286,SHA256=675F273A9E486E035BF6992255117B3A17141E409B6A3B683152FF1A0EFEB1F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:48.399{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62061-false10.0.1.12-8000- 23542300x8000000000000000369951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:49.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542A07E6405BBBE76A82113B107AB23A,SHA256=4C226911427317972DE75007B6D23760952F52D756D320BAC82995F3F32D53E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:50.642{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F82FEDA7A239915AC3A787EC4EDDE71,SHA256=D02B5D229F3B745BDC55987A43F7754047CA698B78236A64351A3F3401D4146B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:50.003{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54323A0FBB3EA118C529157BCE160FEE,SHA256=F0691E399316C295CD890D08DA10325BE9BD7446BC18FCF0F7A1666EB8D3EB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:50.611{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222C30878F319C90CBE8D47731C2C0CD,SHA256=62813424ABC9A848968B1807D271ACF65EA1B6E1EA676716D2F9ED1EEFFEE358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:50.611{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B19185B03BEC9BB3CC3D6F5CB1C2970A,SHA256=7A7E0D069D3C910A5F784CB1EE036EDF9D8CE5D2251B2562DB12833209844F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:51.736{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C2FECA17D26563EC668A9A3C594CF4,SHA256=B5125344E7104329DA0C040A18D92D9B5B5148D538E442DF2C1B27D90A5DE908,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:51.764{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53423-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000424630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:51.033{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3908EE095FF607DD14F23EC0A8C49AA5,SHA256=74903CA042E6190CB986E7CB321C1D1F56754A2D765FFF3BF89F965AF85ABBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:50.138{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53424-false10.0.1.12-8000- 354300x8000000000000000369956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:49.611{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53423-false10.0.1.14-49672- 354300x8000000000000000369955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:49.515{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-4446-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:52.736{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52824D215C96B05F0A406EDC3E2DE571,SHA256=519695A0BDEE23847C5FE72CF3CC5C0D82C878F8C55E2321A6EEA970BADFCEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:52.054{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB04C629A4787211DAB3E1D0573943F7,SHA256=2E35B264F961809417FFBBC835001ABB165AEFBA7A3F5EAE3703825BFFCCA93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:53.767{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA8BBE48A3389DD8B39CA399EE968CD,SHA256=627D472EF1911DC79D91D777DE4EE3BEE87B783ACAC7CFC6B2EF9A409B34810E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:54.279{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62062-false10.0.1.12-8000- 23542300x8000000000000000424633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:53.069{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53280850E8C6A2588F4B306CDD4F7F33,SHA256=2B13682BA9B767F97E983940B626E421A8AFC7634211B868AD41EABFE20E6D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:54.963{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABE3B36EDE46EB983F941E7EAF11CBC,SHA256=87F5799DF47E36604C87C042501014FA38244E41E7126ED927AE8987129EC130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:54.100{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12FBA521B9F8706AE69ED79C723079A,SHA256=1C2DBAEDCB275B52FA31D20AABE2878F55A38E0FBCA763A25DF7DB6FED40B37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:55.106{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1587MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:55.115{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F40B1D796BB1D245CA569B111823C9,SHA256=986493B55AD29951FED592D6089B48A281BF7E195823C0C993CEC0B8520D2A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:56.116{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE9277F0ACCDC000DFCC01158904EEE,SHA256=528F791FD091982442C6B2989BDD200D6BB0B4165F25ECF7DBF62381CFDDDDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:56.119{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1588MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:56.040{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A743211D432590C05F2A3F3D78497E8A,SHA256=66CA0D2C29C1D60B02131095D7B2CA62B159755E4456A6C8D0EC2E3D2F7D60ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:55.239{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53425-false10.0.1.12-8000- 23542300x8000000000000000369965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:57.072{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54D26470EEFFF3AC8213F1192B855B7,SHA256=642BA8980C5E6085EB26D16CC57EB6BB09149856BE398018C992EE09788CBD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.699{8D4DD44E-C6A3-616F-9001-000000000502}45325940C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.699{8D4DD44E-C6A3-616F-9001-000000000502}45325940C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.699{8D4DD44E-C6A3-616F-9001-000000000502}45325940C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.699{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.699{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.699{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.683{8D4DD44E-C6A3-616F-9001-000000000502}45324764C:\Windows\Explorer.EXE{8D4DD44E-D033-616F-CD02-000000000502}1116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.630{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:57.131{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16351CFB3BD40D751C07DF140C456F71,SHA256=4C7A7F119E694070CA0BF4048141FAE539D9B1209E48651F7F36E8E11BA437D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:58.197{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3F51987542A64764DB79DCE2CEC9F7,SHA256=7C0F2495008195749FC09EB6B895ABC98BF13B72D737456CA3E0B5F59346047E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:59.361{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62063-false10.0.1.12-8000- 23542300x8000000000000000424647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:58.153{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889D85B4A879B3CFCAAFC89B86ADD295,SHA256=677420010907BD568F2F6DEFEE32D20B5965F08ED4C1535345DF594C05BF1E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:11:59.197{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C883FEC4A280ED7985013164105F0DF3,SHA256=95686FC85451B8FC39F40A9483ABD2015A05C4D782CEF597E99CCB4B8CF391FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:59.777{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62064-false10.0.1.12-8089- 23542300x8000000000000000424649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:11:59.167{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614D3865870672E0DC5C58667C3C8F98,SHA256=4E625B5DA33FAF6B075A2BD7D4020C2B57E2EC67DAB1F3DB3DFFE84976885F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:00.228{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699B40163D05087580CB5D8B8CD6E6B0,SHA256=78F7C232DDF86099BCEBD7BEF5DBD2E8E9885BC57D8D78AD87D2A0A3EFC4220A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:00.198{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35B208E48CA3B66740418E7F5F34B6E,SHA256=B662C51CEE7537F0C96A2B502E23228FE1A9F38DAC34FAC09CFD7D375C78977F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:01.212{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1631308FA5813E8A0B92F9C00709BD2D,SHA256=11D08234D635BC58BEAB394B18A2DEF818A1230D3F632D09B2140F7F7C095AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:01.650{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D956ABE870C6D523C202FE42D3B4523,SHA256=A8EF30831524DADE0961840825FD2584F3A361B94F5AA0C2302ACCA678041D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:01.650{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222C30878F319C90CBE8D47731C2C0CD,SHA256=62813424ABC9A848968B1807D271ACF65EA1B6E1EA676716D2F9ED1EEFFEE358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:01.244{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2DB7F6E66D14C708D37DBC83FA897E,SHA256=EE15FB35FA63EBE36BC9E97B520ED015B3FECB90A6D5DFB4B51D2A1FDD5482B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:01.162{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53426-false10.0.1.12-8000- 354300x8000000000000000369974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:00.346{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-32019-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000369973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:02.275{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76000E90D13C7F6DF6EC17E972224210,SHA256=F9765477DD9BF5B09237521B27B0B12A8426EA8611015BFDD8D437DC745D2E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:02.227{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405BEA3D535DC0E77F58CC81F3D67364,SHA256=E1519755BA60CB99A8DE3B964B3D37F8ED92750AF167E5FD858467416D0C6B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:03.275{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7757728DF6AD3AB041A54A1AC4ACF0,SHA256=C8641FA9BC412E5F29B42CB1166C652A23D2A9A93AAC76D6EA914546E18C47D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:03.244{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A70D95117E77F866469058A9A2810F,SHA256=83204C295A01EC61B0BBDB8508792DAEAEFF9B35949DDA9CC234F45976CB21D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:04.353{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AFC26B0DF781EC3A77424DD1C101C6,SHA256=DE8A5BD5E561A22460A6EC1FD277F9035737A20507B8328E61137B2DC094E5AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:05.489{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62066-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:05.488{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62066-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000424658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:05.209{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62065-false10.0.1.12-8000- 23542300x8000000000000000424657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:04.327{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41DC65AE291C2ADFF92416A96F03674B,SHA256=F1BAFD85B855333BF17E233025408687ACAF04BEAD3043E9FD2602D529B755C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:04.327{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E2529791AB74BBB21FF701E20BAA8E,SHA256=46534EBD1ADB8BA71B3F84C5F01DE29C3712816D4B1F501C497B292B1C16E5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:04.247{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2CA37F46043B0460E2A534ABB7F12E,SHA256=22EB80A3FDCF2DCC007525283459ED0F39546EA66783F1008612694432B777F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:05.556{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAA19D49AF16DC4F29722CE1D7CB9E4,SHA256=6DAFA1C772DCF311D73EB0852212EC76E8B9FA9835D86D15A39321561294A821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:05.263{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9233237EF87611FA4B6515D047FD39,SHA256=E8B6E211DAD57A161A20D3D91A1A3E32A3A8CA3BF4E2D3058A3098A1B4EC4707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:06.603{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBDB3D2C35721FA3D982D485BC4A5A7,SHA256=40EBA11F7676C5A738A3037CDE5DA879222A8ECBCFC71853F2BC4A5C6CA8DCD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:06.794{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41DC65AE291C2ADFF92416A96F03674B,SHA256=F1BAFD85B855333BF17E233025408687ACAF04BEAD3043E9FD2602D529B755C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:06.279{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3605597EC7755C6382A0E2191E482DF,SHA256=3E7BFD00462F51DCD1136FA5345239AD4E2CF7C2BDEF920C1F5FDF2DE66DA7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:07.713{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0725DE3137C759BB370D88133972D5D5,SHA256=3DA202FA11759891B84FC6E53FDCB0888062BCBF4749D1C4C3DCECD23D55EB1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:07.645{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-45289-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000424664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:07.293{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608EC3F8D70870E0645969C5F27BE9F2,SHA256=B2CD851EC796ED87C0277779F68F01612DF36E8A21B0E4AAA95D0C3DA3DCBB26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:07.162{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53427-false10.0.1.12-8000- 23542300x8000000000000000369981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:08.853{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4E3D90E2B65FD87559489FBD8FD025,SHA256=B7DA686F247AFA89F833B3FD51DB8956A5A0167F2458D1FF6827D94463C33B79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-4A2E-000000000502}1508C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-4A2E-000000000502}1508C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.693{8D4DD44E-3CF8-6171-492E-000000000502}54125760C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-4A2E-000000000502}1508C:\Windows\system32\ipconfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.694{8D4DD44E-3CF8-6171-4A2E-000000000502}1508C:\Windows\System32\ipconfig.exe10.0.14393.0 (rs1_release.160715-1616)IP Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationipconfig.exeipconfig /allC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=29916DCEA5377C19996B417D9235F42F,SHA256=5EE3FD7CA1AC876D0DE539D469BFC333594FCA3DF9F377CC96C756D9648697F1,IMPHASH=3636F50089F8190E3308E8AEA8F2043A{8D4DD44E-3CF8-6171-492E-000000000502}5412C:\Windows\System32\cmd.execmd.exe /C ipconfig /all 10341000x8000000000000000424807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.678{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-492E-000000000502}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-492E-000000000502}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-492E-000000000502}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.659{8D4DD44E-3CF8-6171-492E-000000000502}5412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C ipconfig /allC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000424799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.662{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C1AB3EE10A3F74F37A9E296040FC69,SHA256=4BEDEB128DED02F92C9CCB6E90EDA0FD7CD253FA98F61D86547A3CF1CA41253C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-482E-000000000502}484C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-482E-000000000502}484C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.625{8D4DD44E-3CF8-6171-472E-000000000502}26802528C:\Windows\system32\net.exe{8D4DD44E-3CF8-6171-482E-000000000502}484C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.631{8D4DD44E-3CF8-6171-482E-000000000502}484C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 group "Domain Computers" /DOMAINC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{8D4DD44E-3CF8-6171-472E-000000000502}2680C:\Windows\System32\net.exenet group "Domain Computers" /DOMAIN 10341000x8000000000000000424790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-472E-000000000502}2680C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-472E-000000000502}2680C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-3CF8-6171-462E-000000000502}3165572C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-472E-000000000502}2680C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.617{8D4DD44E-3CF8-6171-472E-000000000502}2680C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet group "Domain Computers" /DOMAINC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{8D4DD44E-3CF8-6171-462E-000000000502}316C:\Windows\System32\cmd.execmd.exe /C net group "Domain Computers" /DOMAIN 10341000x8000000000000000424782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-462E-000000000502}316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.609{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.594{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-462E-000000000502}316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.594{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-462E-000000000502}316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.599{8D4DD44E-3CF8-6171-462E-000000000502}316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C net group "Domain Computers" /DOMAINC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000424774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.578{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAF79EFA3C16B5978C6E04D3C2C6508,SHA256=45C8125517910AA575F851BD3305CEA48258E6A6032680AA28BACA0252561BE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-452E-000000000502}4492C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-452E-000000000502}4492C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.562{8D4DD44E-3CF8-6171-442E-000000000502}54922436C:\Windows\system32\net.exe{8D4DD44E-3CF8-6171-452E-000000000502}4492C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.558{8D4DD44E-3CF8-6171-452E-000000000502}4492C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 group "domain Admins" /DOMAINC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{8D4DD44E-3CF8-6171-442E-000000000502}5492C:\Windows\System32\net.exenet group "domain Admins" /DOMAIN 10341000x8000000000000000424765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.545{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-442E-000000000502}5492C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.542{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786F139FDAEDAEFA4AFB81E216C22AD2,SHA256=5D86F02A6DFCE71165619C114CB4C3D3109E27667EA7F216760312A769A2D9D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.525{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.525{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.525{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.525{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.525{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-442E-000000000502}5492C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.525{8D4DD44E-3CF8-6171-432E-000000000502}52924892C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-442E-000000000502}5492C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.535{8D4DD44E-3CF8-6171-442E-000000000502}5492C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet group "domain Admins" /DOMAINC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{8D4DD44E-3CF8-6171-432E-000000000502}5292C:\Windows\System32\cmd.execmd.exe /C net group "domain Admins" /DOMAIN 10341000x8000000000000000424756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-432E-000000000502}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-432E-000000000502}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.509{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-432E-000000000502}5292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.513{8D4DD44E-3CF8-6171-432E-000000000502}5292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C net group "domain Admins" /DOMAINC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000424748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-422E-000000000502}336C:\Windows\system32\NETSTAT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-412E-000000000502}5288C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-422E-000000000502}336C:\Windows\system32\NETSTAT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-3CF8-6171-402E-000000000502}1843152C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-422E-000000000502}336C:\Windows\system32\NETSTAT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.477{8D4DD44E-3CF8-6171-422E-000000000502}336C:\Windows\System32\NETSTAT.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Netstat CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnetstat.exenetstat -a -n -p tcp C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=A96209882B0B2B29424E0F637D40A054,SHA256=9F070E1F4AA9AE0A5EA084FEBBD5983293E5748D0A5CC5D46098CB9271D2D508,IMPHASH=1CF0C01BB1C384844DD29F2A64D4E73F{8D4DD44E-3CF8-6171-402E-000000000502}184C:\Windows\System32\cmd.execmd.exe /C netstat -a -n -p tcp 10341000x8000000000000000424735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-412E-000000000502}5288C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.478{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-412E-000000000502}5288C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.474{8D4DD44E-3CF8-6171-412E-000000000502}5288C:\Windows\System32\find.exe10.0.14393.0 (rs1_release.160715-1616)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXEfind "ESTAB"C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=1E16116CCE7317C0E87559DA23A4EAD3,SHA256=40C0EC6D7371D316BC1F0ABE80D0236F613C9FB88DCE2D9B5D5FD4A1A59E8B49,IMPHASH=8227B3EA21F13E06E81C9AA2636A858A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000424732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-402E-000000000502}184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-402E-000000000502}184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.462{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-402E-000000000502}184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.458{8D4DD44E-3CF8-6171-402E-000000000502}184C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C netstat -a -n -p tcp C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 734700x8000000000000000424724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.423{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\System32\nltest.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000424723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.423{8D4DD44E-BF39-616F-0B00-000000000502}6325196C:\Windows\system32\lsass.exe{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\system32\nltest.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.423{8D4DD44E-BF39-616F-0B00-000000000502}6325196C:\Windows\system32\lsass.exe{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\system32\nltest.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-C6A0-616F-7F01-000000000502}21602588C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.392{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.393{8D4DD44E-3CF8-6171-3F2E-000000000502}4476C:\Windows\System32\nltest.exe10.0.14393.4283 (rs1_release.210303-1802)Microsoft® Logon Server Test UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationnltestrk.exenltest /dclist:C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=1171BC1F016201B83E30634121BA2A40,SHA256=8DB95007AC3DD96C487C0CC477BD89A6282D6F0949EBCECBBDA4F8D37C2A959C,IMPHASH=4C049D80BB0FE7E8B0688666FFF88442{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000424713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-3E2E-000000000502}2864C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-3E2E-000000000502}2864C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.361{8D4DD44E-3CF8-6171-3D2E-000000000502}57286028C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-3E2E-000000000502}2864C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.354{8D4DD44E-3CF8-6171-3E2E-000000000502}2864C:\Windows\System32\nltest.exe10.0.14393.4283 (rs1_release.210303-1802)Microsoft® Logon Server Test UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationnltestrk.exenltest /domain_trustsC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=1171BC1F016201B83E30634121BA2A40,SHA256=8DB95007AC3DD96C487C0CC477BD89A6282D6F0949EBCECBBDA4F8D37C2A959C,IMPHASH=4C049D80BB0FE7E8B0688666FFF88442{8D4DD44E-3CF8-6171-3D2E-000000000502}5728C:\Windows\System32\cmd.execmd.exe /C nltest /domain_trusts 10341000x8000000000000000424705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.345{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-3D2E-000000000502}5728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.342{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.342{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.342{8D4DD44E-C6A0-616F-7F01-000000000502}21602112C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-3D2E-000000000502}5728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.342{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.342{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.341{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-3D2E-000000000502}5728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.335{8D4DD44E-3CF8-6171-3D2E-000000000502}5728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C nltest /domain_trustsC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000424697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-3C2E-000000000502}5668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-3C2E-000000000502}5668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-3CF8-6171-3B2E-000000000502}38282140C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-3C2E-000000000502}5668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.287{8D4DD44E-3CF8-6171-3C2E-000000000502}5668C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 127.0.0.1C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{8D4DD44E-3CF8-6171-3B2E-000000000502}3828C:\Windows\System32\cmd.execmd.exe /C ping -n 1 127.0.0.1 10341000x8000000000000000424689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-3B2E-000000000502}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-3B2E-000000000502}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.277{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-3B2E-000000000502}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.272{8D4DD44E-3CF8-6171-3B2E-000000000502}3828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C ping -n 1 127.0.0.1C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000424681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.245{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-3A2E-000000000502}5684C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.241{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-3A2E-000000000502}5684C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.241{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.241{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.241{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.240{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.240{8D4DD44E-3CF8-6171-392E-000000000502}56521412C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-3A2E-000000000502}5684C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.239{8D4DD44E-3CF8-6171-3A2E-000000000502}5684C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 127.0.0.1C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{8D4DD44E-3CF8-6171-392E-000000000502}5652C:\Windows\System32\cmd.execmd.exe /C ping -n 127.0.0.1 10341000x8000000000000000424673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-D033-616F-CD02-000000000502}11164332C:\Windows\system32\conhost.exe{8D4DD44E-3CF8-6171-392E-000000000502}5652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-C6A0-616F-7F01-000000000502}21603936C:\Windows\system32\csrss.exe{8D4DD44E-3CF8-6171-392E-000000000502}5652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.224{8D4DD44E-D033-616F-CC02-000000000502}13444684C:\Windows\system32\cmd.exe{8D4DD44E-3CF8-6171-392E-000000000502}5652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:08.212{8D4DD44E-3CF8-6171-392E-000000000502}5652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /C ping -n 127.0.0.1C:\Temp\ATTACKRANGE\Administrator{8D4DD44E-C6A1-616F-997D-110000000000}0x117d992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-D033-616F-CC02-000000000502}1344C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x8000000000000000369983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:09.869{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15199CE397ECAD6C22FA4A3C37FA5A45,SHA256=9D2203D479A8A4FB24869AD9CDEF3AAE99C4FA79D8C9C797C33BEBFC77D1B9DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.588{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62069-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x8000000000000000424820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.582{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62068-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000424819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.406{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62067-false10.0.1.12-8000- 23542300x8000000000000000424818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:09.628{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1587MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:09.363{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6831C4EC07050C89AC2B6132F0459425,SHA256=0558C80E8BDA34F64B62DB279B769A8990F7723198B54C5255FF62043EB4AC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:09.226{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=244FFD1F9979B4E50D06048B2EEECD98,SHA256=F69B284A7398657FFCA52988DB0973B4AEB8B85935F2A80CB2243B4790A3B13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:10.931{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B187B18C7BF0A0F8CA02ADF9F203C54,SHA256=EE6759ED8D5AC083A8B16BEB7335AB8418A03A14DDDDF073C866E6FEE6F01575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.641{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1588MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000424828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.581{00000000-0000-0000-0000-000000000000}4476win-dc-185.attackrange.local0fe80::499a:5ff5:cd3f:fbde;::ffff:10.0.1.14;<unknown process> 354300x8000000000000000424827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.588{00000000-0000-0000-0000-000000000000}4476<unknown process>-tcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62069-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x8000000000000000424826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.582{00000000-0000-0000-0000-000000000000}4476<unknown process>-tcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62068-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x8000000000000000424825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.394{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07265400105520448DAB8C833863373B,SHA256=0D3944D716A61F0112203038DEA2CE15EE9694F930F47B08B9CC1C11BD4111B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.110{8D4DD44E-C6A3-616F-9001-000000000502}45324628C:\Windows\Explorer.EXE{8D4DD44E-1AA2-6171-1D2A-000000000502}408C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801AE8DCD08)|UNKNOWN(FFFFDA0BBDEA5B48)|UNKNOWN(FFFFDA0BBDEA5CC7)|UNKNOWN(FFFFDA0BBDEA0351)|UNKNOWN(FFFFDA0BBDEA1D1A)|UNKNOWN(FFFFDA0BBDE9FFD6)|UNKNOWN(FFFFF801AE5F5103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000424823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.110{8D4DD44E-C6A3-616F-9001-000000000502}45324628C:\Windows\Explorer.EXE{8D4DD44E-1AA2-6171-1D2A-000000000502}408C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801AE8DCD08)|UNKNOWN(FFFFDA0BBDEA5B48)|UNKNOWN(FFFFDA0BBDEA5CC7)|UNKNOWN(FFFFDA0BBDEA0351)|UNKNOWN(FFFFDA0BBDEA1D1A)|UNKNOWN(FFFFDA0BBDE9FFD6)|UNKNOWN(FFFFF801AE5F5103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf37a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:10.094{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5d3f160.TMPMD5=72EC8CF068B0A55D02E3891BBA29D005,SHA256=EB9C7609B89FD242502A2C43207958AF07ACD91510E34E65E3E2EA85F8EDE330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:11.409{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DE292B64578FD5B6890B21862B5657,SHA256=B96EA052D1A29738F84FFF37A6D0369DDE3310AC0FBB0F72506F4A4ABCD82015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:12.477{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39AC6B93701A08BD34507E1259409A9,SHA256=F7ACE46409CFC3A80ECDD0E84BAAACEF4914576423DC0DFD1DAE8BF45FDF4E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:12.041{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5F217CC77AD4A075C58A2B7CC01469,SHA256=666193238F5D9B3B938CDF34A8D6006E07FDB77D161C5330C205BBB398064BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:13.492{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7619713E4954E9B41AF9BC26F39E150E,SHA256=21C29AFDA56EDD73CAFC9043F21158118EEEAE40C937E46297B8A1B285B97EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:13.103{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908A0F8D2D6102A351966549B2DE15AA,SHA256=3AB842A4EE18EAF12C02B93000B916DEA2CDB01CBEDB8A1703CB8B185B70B19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:14.506{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43F74073F51E7A9E3EE1A8B89681441,SHA256=4505FA6AE25972D5B3AE797456B90464DE5BC1DDE792C7832C85631AFFB40DEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000369988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:13.116{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53428-false10.0.1.12-8000- 23542300x8000000000000000369987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:14.322{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810CA76DA02A476D0639378386634C4D,SHA256=08DF0FFDFD78B0A71D1AE81603C15AB10EEE7115698046ACBC68B0140CA979F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=51F43A799FF72538DE7F7E29A860BCD5,SHA256=F2BBB4DE2DA6B8EA0EABB504605B6038B42D4D9B14BD04BC4BE4DEE5623E6422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=28541AD35FD4AA0C6AE784698EBBFC4E,SHA256=4F27E649AC8051B7E3549AE8467BC32A25A419F07BB1DC724117B43D1CF86D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=3A9CA5B4F948F9BE7E68C37405FF8B6C,SHA256=5459A0BDCDF3EBA8AA02CF80A086DF0B6F547DC7CDC909F49DA40F9C067C5477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=1CAB743D184162939ED15B6CF846785B,SHA256=DD2CB1DC4FA2B3CC22A826714491B25F58014AA9FEBDB3AC7CB280062648AE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=A3D1CD8D5E8E87C59046C87E66AB90F8,SHA256=CDC3FE46EF2C64F936B9FD0877A3DEA2354ED85A22526774ADF7DC19C14EEA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=109F71AB12E5F318E64378B7DBCA0343,SHA256=0C5AAF7904A7950F5F7FBF9D3C29CB818DE826E298B7EE84A3CF73FFBA2F3550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.890{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=07A61F2D5DCCABDEF2968B1F200C80BE,SHA256=1B04FEDE23837017CDEEABD61501084F4CC34246C122DBE6238200CEC9DEFD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:15.522{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08C217B64B518A309C5355B85EFEEBC,SHA256=82B2846C04CD33BA385266A46FC362650C864D35A8CA8473CD2841FD260CDA33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000369989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:15.325{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52271736267C5884A47B2A8C35278E1C,SHA256=D92F87664353A7F423461D8F0A9330B5C90BAAA3E44DA54E9C2C06498ACCB0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:17.320{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-11334-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 354300x8000000000000000424845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:16.285{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62070-false10.0.1.12-8000- 23542300x8000000000000000424844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:16.541{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D5F61FAFDBDFDCF8BD51D5C9DC4F77,SHA256=35286C46AD05868661547477145721C54F159E0BC031652CDD31FFA6BB055B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D00-6171-402D-000000000602}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000369993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D00-6171-402D-000000000602}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000369992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.825{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D00-6171-402D-000000000602}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000369991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.826{6F8252D3-3D00-6171-402D-000000000602}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000369990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:16.341{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0CD0A7FBF98CCA5BD63E5A1D32953D,SHA256=300A12F4921F6E7A84F03D223C1B25A13F109B5F87A651979664F42D4A594764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:16.274{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FA97BB687FA4BDB943B5F80B7C1553,SHA256=1EAC2D51E0691D85A931C08B6210C3B7D7A4ED74EB81B23DD7CC613C963B4F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:16.274{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571985FD377E0A601CE99C6F0C170269,SHA256=BAFB6A4ACED9258317BF57889A3E5F836C9E0C9FADFB640F6654F48A3F3DD8BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D01-6171-422D-000000000602}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D01-6171-422D-000000000602}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.887{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D01-6171-422D-000000000602}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.889{6F8252D3-3D01-6171-422D-000000000602}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.856{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9517CA44AA8DBC28D1CA87CC6422C7E6,SHA256=57FBE9DB702985D4E81943D9124A293DC186D5D1BF124F4A5578D2E4925A0928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.856{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D956ABE870C6D523C202FE42D3B4523,SHA256=A8EF30831524DADE0961840825FD2584F3A361B94F5AA0C2302ACCA678041D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.794{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A068315C094D45B6DEE44B4F52CFDF6B,SHA256=261512A2920A3AACFC562B68BE2F299056DFC405E165A38DD18D44290476A20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:17.557{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A0A8BBBD38A9C498C5E4EF7A94D528,SHA256=6A779417B5360348A42817C88E151C4A579948CDB119921107F1074191D56628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D01-6171-412D-000000000602}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D01-6171-412D-000000000602}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.325{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D01-6171-412D-000000000602}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:17.326{6F8252D3-3D01-6171-412D-000000000602}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:18.571{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1003034F0EF71D91FAFC86BD4F481D1,SHA256=D50F7FD2D28D4721C7DD464075B98DE83F2A10EB5EC0C4A8DF6DA5DFA46D33DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:18.091{6F8252D3-3D01-6171-422D-000000000602}32681124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:19.586{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F903D4C3FE6068E61FAF90AA040EEDA6,SHA256=42119B601324A2D4F322E134503DF416A91287D6AF4AA14AC5AD7C6B1AA40947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:18.997{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606A4C1C662533F37A9FF8DE0E269C09,SHA256=F1108C34C50CC7377F3CBD9D2CA8D736DBD8E541664A1D469776784B8CB51319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:18.997{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9517CA44AA8DBC28D1CA87CC6422C7E6,SHA256=57FBE9DB702985D4E81943D9124A293DC186D5D1BF124F4A5578D2E4925A0928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:20.601{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC82270536B168AE46BE7515099773B8,SHA256=D3A0CCFF4180F3F35B25E0E056DA3D49DE69EA8954BAC55E179FD59E02A90E94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:18.243{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53429-false10.0.1.12-8000- 23542300x8000000000000000370036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:20.013{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03A122507A00BDE35B431DEB5F30895,SHA256=8725DE41D55F4BA0B621289B8CFAC445DD7037B6E525FA0DEF2697AE5BBEF092,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:21.349{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62071-false10.0.1.12-8000- 23542300x8000000000000000424851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:21.615{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FA84B7DD09A4842111E93F1258F4F3,SHA256=1951B1E3074B5AD91C96B01029A8EEA9AE84C816B1C2A11640A2D8CB088DBC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:21.044{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188C5F2EF1750EA92DFF643E1137745C,SHA256=19246F989A4E6E4CAAAAEF295C4F460F30C2431AB50F7BCBD6828206C5DE2A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:22.683{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBCF023224A584A5B1192AB039F56F0,SHA256=E799E481DE1997CCA8E18320C892FEA482ED786E72CC5C07348D33EE500D3159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D06-6171-442D-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D06-6171-442D-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D06-6171-442D-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.841{6F8252D3-3D06-6171-442D-000000000602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000370053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.356{6F8252D3-3D06-6171-432D-000000000602}37201944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.184{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D06-6171-432D-000000000602}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3D06-6171-432D-000000000602}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.169{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D06-6171-432D-000000000602}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.170{6F8252D3-3D06-6171-432D-000000000602}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:22.044{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2CCEC18889553FB1FFACFE68349A7B,SHA256=B2BBB8D6AD402FAAFDD5253EB0F793F6D3B38097EDC4924B0B88B1FAB87E3BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.700{6F8252D3-3D07-6171-452D-000000000602}37121376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.591{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5E5027891214DCD133A527609AF91E,SHA256=C3217347D4F698A95B68CD3CD7EAD915A1B02605FF7A10E8766E003618A897CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.591{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62DC05C17968B5B2CD6EE3CB9A2C320A,SHA256=5C68B6356DA2419F1B739505AD9CCDE321B90EC48EDB9A102AC6C1BD612CBEA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D07-6171-452D-000000000602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3D07-6171-452D-000000000602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.512{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D07-6171-452D-000000000602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.513{6F8252D3-3D07-6171-452D-000000000602}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:23.698{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988F211A329F2022CF77FDB504D5B852,SHA256=FC2D66E672F8FBC393ED8B27E7374BE875C9B6F2FCBC150A6D63480AFFBBDE3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:23.044{6F8252D3-3D06-6171-442D-000000000602}37482576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.825{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A844A71E2A520D83992A2078E172F69F,SHA256=AF3236E15936EBC2F0E6943FFBC46EEDC7B2F229912DE8828A4D80F551DE9D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.591{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FAFB365F829C2BAD184AD1C945945F5,SHA256=AF5BAA50E00B4A26AC64912E4FFE89F9F342661A75E47E07E9D2B2F134CEEB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:24.713{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1634A9F4040B411981955AFB0863021,SHA256=47A32C36B56E912BFD0193A891C78A9ED6EEB7F2353DCF0A1100679E37A3A36D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D08-6171-462D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D08-6171-462D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.309{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D08-6171-462D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.310{6F8252D3-3D08-6171-462D-000000000602}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000370100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:24.118{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53430-false10.0.1.12-8000- 23542300x8000000000000000370099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:25.606{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3693BD656DC97638CA74A1251F9750,SHA256=7A9E4473BAE67175913EB88717B723C6CC404B9002C6DDE8338440726B034B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=6E735B576E45173106A2B8001C46D38C,SHA256=0D9A40104D846DD5015B79884DEF219AC849B5AFC56259F5D36B124E555BD16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=514C0313A973F306A1F0D7A3865E8852,SHA256=EEF036CEB49E13BB15EEAB59F61B53856084EC34DCC119C5190C25FE3D29F9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=C8756131C188620ABCE775C368C5E076,SHA256=979D1D8B7C2D461AA19AD0FED23085BF80EA5C1B9AEB10D5C3A9D926C6EDC8DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=0232AE2470CA2494286B75225E290529,SHA256=3CD15D263EC887C0CFFCF14AA744BD629AD50757BEAAC667168E479394B603E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=160A3162C539F315AEAB779D6CB5B8AD,SHA256=1C794452F9600FF866B089C4449933327330F4DC6DC6CF35F11A137C34130CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=18B79BBAF9BB1908CC2B7ACAFD6FC3AB,SHA256=30BD44B322B1D2B1CAF4AB03856BCCE70F2C9EE3E2BBC106509A63A5DC36E1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.912{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=3650CA19290E823A59736BFCCF566634,SHA256=8A11249342BDA84A0F95177445F1C33E79AF2A61D4EE110AB786633ACE5B5AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:25.730{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6DA8616D3E4D41A160A55B02853982,SHA256=8733A87259203102F9506D41E638E50BB1952E216C4D3F957E50AA4561D989B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:26.731{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CE9C45F2F210F1003FE5D1C8C90F3D,SHA256=A4A8CC89696595D5F526680C72DB75111898796C06E1A315E3DF2A18342E688D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:27.213{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62072-false10.0.1.12-8000- 23542300x8000000000000000424864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:26.749{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550F6894D46E3E6B5DB47270E6035229,SHA256=EDC635222737AA9CA4D0CDAA3B4537F77A2E80E536C7356C9A9388212D81E21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:27.764{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725222E2D1DA51AB940C8A70843EA212,SHA256=0D73C8E85897864EF2C336875369943235E437B39F4F1429C27ED38C5B29EBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:27.825{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A21B9700074F8C0BC2801DA246EC45,SHA256=53736B7CF358595B90695D8CA518F4CC49F4D24C942F9F553D0D55956651A190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:26.358{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-40490-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000370102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:27.747{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B56399893741706E7A93610F86FD3C,SHA256=6968B1162FE6947BE99523799E0AA66908B8460CBA6D41C633F99643FA9C8FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:28.794{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8892D5C241EAE0A3AF4F142E55ABC4,SHA256=B98BC43489109C9A43829AB2E38150726DF201938871BD7CB1FB77367129B549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:28.779{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98160313B344B3263DA4B0DFE5C4EC4,SHA256=129EB0A37F6FD3D346D3DB39CDA020DA42926167C55521B0A3016C1CFE00C8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:29.794{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384742F0FA356B7B53129789E447A75A,SHA256=549C9B15BDC08739897A5EB48AE04D3B67F811BA01E8257FF022BE1FC86ED3F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:29.793{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D030EA1EE4CF186BC18DF2B310025EA7,SHA256=8AFA27F7A63E12C0940628F536184167473E7DD955F5C1107D3815B716FE9182,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:26.832{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53431-false10.0.1.14-49672- 354300x8000000000000000424868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:28.986{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53431-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000370108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:30.934{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B38F3550D1FC0148DB30AE388AE1BF3,SHA256=3333457AB2DBBA9F48D9643D41A98720E13907CAB0F5531D02D149D428C49A95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.929{8D4DD44E-3D0E-6171-4C2E-000000000502}55922436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.808{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806540B11A16EC74943836C83D39A2E5,SHA256=8EA34D4984A0B99B7AEA28AFF8843404A8CC674A4DC0B7BA33F4CD6929F6253F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D0E-6171-4C2E-000000000502}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3D0E-6171-4C2E-000000000502}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.745{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D0E-6171-4C2E-000000000502}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.746{8D4DD44E-3D0E-6171-4C2E-000000000502}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D0E-6171-4B2E-000000000502}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3D0E-6171-4B2E-000000000502}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.077{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D0E-6171-4B2E-000000000502}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:30.078{8D4DD44E-3D0E-6171-4B2E-000000000502}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:31.934{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB9C1CFCB26E421086386ABCECE205D,SHA256=1720A59107619E107F47FE75B8286FAE2449DEF1B4D1FA76D29D935654E90F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.876{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DE7BE4F92567F5C151C519308B9B14,SHA256=2C02F7709BDBEBFF18B6C3E5806DDEAE2A7614073FCE4C4F5248CFB3B6898D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:29.274{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53432-false10.0.1.12-8000- 10341000x8000000000000000424897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D0F-6171-4D2E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3D0F-6171-4D2E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.429{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D0F-6171-4D2E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.424{8D4DD44E-3D0F-6171-4D2E-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.108{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4BBCFAAAC9AE24ACD1D365A7D337E9E,SHA256=0FE4DFAEC12F89BBF1CDC7B075AEEA540AA535DA63A95FCC5FF2D4265ED3F60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:31.108{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FA97BB687FA4BDB943B5F80B7C1553,SHA256=1EAC2D51E0691D85A931C08B6210C3B7D7A4ED74EB81B23DD7CC613C963B4F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:32.891{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D257C143169F43D32782E53E6AF9BF07,SHA256=7A13360D9FA699E4912D0D24B10BECEB8F4A98FF0A726058F2DD3253ACDB4DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:32.934{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54ED75FAAB1B9A6BCBC2E7BE5148F43,SHA256=C2122298D746A9FDBB472978DAB0F41AAFEC331A54E2977FAADCC4038531A8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:32.444{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4BBCFAAAC9AE24ACD1D365A7D337E9E,SHA256=0FE4DFAEC12F89BBF1CDC7B075AEEA540AA535DA63A95FCC5FF2D4265ED3F60F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000424902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:12:32.245{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x8000000000000000424901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:12:32.245{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x8000000000000000424900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:12:32.245{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 354300x8000000000000000424899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:32.288{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62073-false10.0.1.12-8000- 23542300x8000000000000000424905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:33.906{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC88C23096F944854B52DBB5E9801D0,SHA256=DE22BD8810A342F7D737EEC529241719DF3FB52F69336FB550C569A50A9DFBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:33.950{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C048DB2F5D664EA2905D4A7EE165C1B5,SHA256=45FABECC373680A78BD113133E3FF4BC672C2B624001E729EEA14543727B1B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.974{8D4DD44E-BF3B-616F-1300-000000000502}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B428F959F8C88B5967D0C6BA21652036,SHA256=C7AA94A925B194AEAED4636B7D499D5881FFE3135A8E5A02561C33CE0D8A798D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.924{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB1EC08105381E004A6565252849189,SHA256=AEE9F514F09A64551EE833C0375C60880965ABEC3BD937B86001ADB1803DE427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:34.965{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BB8B81C3ADA8AADB29990D1DF89DF1,SHA256=74F63C26E85AE8CE5AF445B7FB9507CFD8B51275E225E28E9FF1BA8DF8ED13D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.418{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62076-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000424910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.418{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62076-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000424909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.411{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62075-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000424908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.411{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62075-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x8000000000000000424907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.388{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62074-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x8000000000000000424906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:34.388{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62074-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x8000000000000000370113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:34.888{6F8252D3-BF39-616F-1000-000000000602}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0F8D1B26EF3831B83AE5E5118EEF58C1,SHA256=7FCD8C7362311EEA5534E33CD033E5498F92753B4208995A042236E249A62633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:35.980{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C275FDE31255CCEEBF4F6A470B3D3,SHA256=5C7CEAF8870A3978E7F52FC101276F5DD289FC7CCCDBBF019729606F6A6726B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:35.944{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4483C81E2270FB57F0913678FB11BCE,SHA256=CB4B960579C33045E5F75EDE6072E44915B4F6AFC41FFD9BDD255A1DB999C9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.975{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBC871C44988A697CD2205FA778391F,SHA256=B69DBCC5C381581E84208201EFDF3340EEDB5052B5725434A3566EC3C9975B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.871{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.871{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.871{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.871{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.871{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.871{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.558{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000370116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:35.164{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53433-false10.0.1.12-8000- 10341000x8000000000000000424923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.559{8D4DD44E-3D14-6171-4E2E-000000000502}11121516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D14-6171-4E2E-000000000502}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3D14-6171-4E2E-000000000502}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D14-6171-4E2E-000000000502}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:36.344{8D4DD44E-3D14-6171-4E2E-000000000502}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000424943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D15-6171-502E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3D15-6171-502E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D15-6171-502E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.627{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.623{8D4DD44E-3D15-6171-502E-000000000502}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.359{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FB746A206428CA50A7C247F9DB34CA,SHA256=6FB1558EE369EFF0C8FC4D40DB30F1AFC1C816D5A78319D28A17060E0AAAAF5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.405{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62077-false10.0.1.12-8000- 10341000x8000000000000000424933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.228{8D4DD44E-3D15-6171-4F2E-000000000502}20805780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.029{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D15-6171-4F2E-000000000502}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.006{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.006{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.006{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.006{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.006{8D4DD44E-BF38-616F-0500-000000000502}416432C:\Windows\system32\csrss.exe{8D4DD44E-3D15-6171-4F2E-000000000502}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.006{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D15-6171-4F2E-000000000502}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:37.007{8D4DD44E-3D15-6171-4F2E-000000000502}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.980{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90212E82091D19408C946A8E473D8C45,SHA256=4857D9759C90F3A2BD745292E62E60F6A3A9E734388461760D7B4D1C195C55FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.980{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C95C943B3DA83DDBD8C6B92A9D3ABC01,SHA256=6EC99FFF3D6AF90F0B7501C4DF89AFEF2FD9AF990F0DC78841FE06717032A3FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.308{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.308{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.308{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF39-616F-1400-000000000602}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.308{6F8252D3-BF39-616F-0B00-000000000602}6324076C:\Windows\system32\lsass.exe{6F8252D3-BF1C-616F-0100-000000000602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000370132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.012{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71438258B247B4CC8A665445F8D930,SHA256=A034127CA81D046E46BD747D7F9E0F69EE8AC1AFAC0F1EB512B037511A1714F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.325{6F8252D3-BF1C-616F-0100-000000000602}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53438-false10.0.1.14-445microsoft-ds 354300x8000000000000000370144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:37.008{6F8252D3-BF3A-616F-1600-000000000602}1192C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53437-false10.0.1.14-389ldap 354300x8000000000000000370143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.884{6F8252D3-BF3A-616F-1600-000000000602}1192C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53436-false10.0.1.14-389ldap 354300x8000000000000000370142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.683{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53435-false10.0.1.14-49666- 354300x8000000000000000370141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.681{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53434-false10.0.1.14-135epmap 354300x8000000000000000370140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:36.577{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-470.attackrange.local59861-false10.0.1.14-389- 23542300x8000000000000000370139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:38.012{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1CF8C4B98D8D17BA4E7CDFB259EABE,SHA256=5FBE512913CCDC0FE324234DF52513958545A85776186C3E0DAF07A79AF97CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.643{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A498905833524B067D41E53BCF1B910,SHA256=C86DA73BFD29BE96EB629F7BA8957166D0361E2B4C252BC703079BBAA586DB30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000424957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.474{8D4DD44E-3D16-6171-512E-000000000502}56525016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000424956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.837{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53435-false10.0.1.14win-dc-185.attackrange.local49666- 354300x8000000000000000424955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.835{8D4DD44E-BF3B-616F-0D00-000000000502}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15-53434-false10.0.1.14win-dc-185.attackrange.local135epmap 354300x8000000000000000424954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.732{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local389-false10.0.1.15-59861- 354300x8000000000000000424953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.728{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15-59860- 10341000x8000000000000000424952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF49-616F-3500-000000000502}32883308C:\Windows\system32\conhost.exe{8D4DD44E-3D16-6171-512E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF3B-616F-0C00-000000000502}8364728C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2800-000000000502}2932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF38-616F-0500-000000000502}416532C:\Windows\system32\csrss.exe{8D4DD44E-3D16-6171-512E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000424946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.243{8D4DD44E-BF48-616F-2D00-000000000502}23162904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-3D16-6171-512E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.244{8D4DD44E-3D16-6171-512E-000000000502}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000424944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:38.005{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6520B3F9091CF242A988E5182C1B80,SHA256=6F946290DA052EFDC87C03905C8811CB7B1A4E078EEA16AB52AFDA206AE2F1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:38.095{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-5803-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000370147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:39.183{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90212E82091D19408C946A8E473D8C45,SHA256=4857D9759C90F3A2BD745292E62E60F6A3A9E734388461760D7B4D1C195C55FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:39.043{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC21738817525B8474DFDEFE297AF8E,SHA256=9AD9B3CA1F8DE0159787510F9D971CF71F9168A761C67125E081E921A0E1F886,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000424964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:39.479{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53438-false10.0.1.14win-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000424963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:39.162{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53437-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x8000000000000000424962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:39.050{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local389-false10.0.1.15-53143- 354300x8000000000000000424961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:39.049{8D4DD44E-BF48-616F-2B00-000000000502}1564C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.15-53142- 354300x8000000000000000424960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:39.038{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53436-false10.0.1.14win-dc-185.attackrange.local389ldap 23542300x8000000000000000424959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:39.006{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC63634543160FB92DCF42008C116E6F,SHA256=9CE43962CAC187932CB315C1C81962039B62BA1FC2E073BEB1F3071C4D03166B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:40.043{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D164B5CF6438970EBAE36909A39CBF4,SHA256=768FAC811F2FC73BD7855B3FC9E660C626A0D1A8EC4092A444538C3B928ECA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000424965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:40.025{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7A515A7F87D1189824E54423D8C2BC,SHA256=FF10C6F3B5CB7D027A5A890F27CCAB9EB5818473A6E4A8BCC150FA58A4C56A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:41.137{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340281FE9D5B509D45B759C68D029EFD,SHA256=0A2B365AA35F21A97F98F3B8C3952FCB0CA35B45083B16120D0129B47D2460D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000425001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000425000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9301-000000000502}4832C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A3-616F-9001-000000000502}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.841{8D4DD44E-BF3B-616F-0D00-000000000502}900920C:\Windows\system32\svchost.exe{8D4DD44E-C6A4-616F-9401-000000000502}4928C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000424966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:41.041{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96479ECBDB2A2FA29C19A5DA7A6612D2,SHA256=C3EDCDBA12C84AC5ACF02DF9CD324605B799D79CA3808212D0178ED502953D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:43.283{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62078-false10.0.1.12-8000- 23542300x8000000000000000425002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:42.372{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CB0A0AEAA46C47F17766DCB9E9BF56,SHA256=E49F526B760E69FDB85D687745A1F36ACDD514124B54052FC9E1F3A3FDECDAF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:40.227{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53439-false10.0.1.12-8000- 23542300x8000000000000000370151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:42.183{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6432174E93776B2E0A14522E70D6AE5,SHA256=39C3E91442838D9ECDF65F1662359CDADF44959A5FA46A6D98730EF1AD9D0E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:43.402{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73EEBFF929366523A287A863CFFF0A51,SHA256=CE4E9DD77AF8FB58127512ADFEE4934656CA562AD0AD43ABD9B9458B09515A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:43.199{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E91B051732CB3952AB1DC554DBB5A21,SHA256=E1523F5A068C894DF0B23060D709D1938088040A51CAEC1B6279F02E84D3C0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:44.420{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA298DE838C9C60F36068C2B080E8F10,SHA256=A7D10BB9CCF5E07084224212296795D52D2AAC260EFDDAA20A1F1220EE365975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:44.824{6F8252D3-BF3A-616F-1C00-000000000602}1964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:44.230{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C788687C9814A49EFD779B3A666EBC17,SHA256=5C6C85BD8855A4A96BF8846488A642B5B3D06A53ED2D470997D91E21DBEC3510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:45.262{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3131F95BB4D5867356DFF678B19FDC0C,SHA256=26ED1CFA41F2C0ABD4E880F2B631FC85BB262C04C9FE1CF1620B27524C7C4183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:45.937{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84999473B69637F5E4A1FFDEEE4E357C,SHA256=3264F99BBB2C3279CB97C65DF11EC60AB9D289A5868A0794C478BB4CFC84A423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:45.937{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58F797D27871BEF38A005E5B9EC02AF3,SHA256=2ABF53DDF3D6AA055DD30A5B6CAE55C4FD34345341770254C0BF052204E0A601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:45.453{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E19A6B445F7AF033240CDB64A700F1,SHA256=4DE74D6A650AFB6AAE1BDAD0AD0F5E95FDAA3C23F7910836BA8E69D9C82595CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:46.356{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10150A6FB89013E9EF202BB08F1EBE94,SHA256=A7EF03FDF5EB037A7411BFBB1288EDC35EF615B0B27A457575C981F94790B4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:46.499{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDB13C5CB49BC05FBDD4C46DCF41342,SHA256=C4E08F5E011FDB2801E211075CA575D10404AD7A2B0D17B443650CA2F153E097,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:46.795{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-23072-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000370160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:47.480{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BA3FA660A1050712B508F4A81370C7,SHA256=DF4640D1A6E8E07FFD9097F93D2ED80AA00CACA0C3C60140DD4F9C2B1BF53C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:47.516{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF04F753F89A3D86D41E3803DCCAC78,SHA256=FF1F15E75C2A69E6160817E3440F45D45C72614DEEFA54DBC60859C80DFBDEC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:46.070{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53441-false10.0.1.12-8000- 354300x8000000000000000370158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:44.821{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53440-false10.0.1.12-8089- 23542300x8000000000000000425013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:48.519{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE99C2AC07D25F4C4E6376BE9B93C29,SHA256=81DF243AB2B572A2D8850333CD92D26587FA9BA67CD976E9114672946B625806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:48.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDED4A28A7EB6378D783D8AB6761239,SHA256=AD692DBA9E4BF95E9ABC4634364C012153E76E9E96BA813F5D1249ED2A14DB85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:48.331{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62079-false10.0.1.12-8000- 23542300x8000000000000000370162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:49.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919F230E84205C7CB34DF96DDFCC6B83,SHA256=7054964669F296092C6652DE1E0A54D46F204D892234ABD9FF8990AAA5A33DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:49.533{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16799BADA2E2B9D028D329DB85C18FCF,SHA256=15F8C76AB394307BAEE752C1D69DF0E97222368E4609DEBCE6960FE742AF81A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:50.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4970A054388E2891B485CBD5163677F,SHA256=BF3DB79EA6200780F5834DA491AD7B62541A58D330CABAFBFE7A0DBE61251FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:50.563{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4D09E31CEF06D65B7DF4903F2810F8,SHA256=D4AF368868986E7CFF5707600EE4269CE22F03F54CCAA1ED0B55196AF1205133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:51.594{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8717AD1DFE74A5523DEEE88CDA57BE,SHA256=00AA9A61613B9FAADC94039781A9AAA2FF55EB355E865E51E4965610BD28FA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:51.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474651F536C2E723210DF9EB8B88B958,SHA256=9AAB0D9D02C7DC722B14EC69DFD65B33237D0EEFE2C00AD0F8B0C910AE21A240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:52.614{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9532EAE0BBA58420F6C524651720B742,SHA256=747D446774E7DF1BAF6734E25C45FBEA382ED64D232E64B7AD75372392333B88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:51.133{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53442-false10.0.1.12-8000- 23542300x8000000000000000370165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:52.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B81447F1AE11F33461D5BF907C4732,SHA256=29F3867729781C12EF65FDCA2FDBBF6A0EBE02F101008B20682BE9CBCEA86CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:53.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DFB6BDD7EFC0E92A7B44CD785F15A8,SHA256=063265A1F58E960C0B5490309EB8DCFB59840D3CA72E8F9463D18D293D54B3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:53.629{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4870C31F6F5B8264ACA7F1373611AFF4,SHA256=77EF27FF529FC7A5C137E9E129FAD79CD3809311D76DF36C3033AF80F06579FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:54.210{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62080-false10.0.1.12-8000- 23542300x8000000000000000370168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:54.512{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851482B039F095A93F93E885129E68EB,SHA256=96627B067E9E7FEA69D85A4540686D03F7F8D3CCF1E9FA0AE6AD1748B1D1A5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:54.659{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0364431B9AE1144C5527AB391F08AC,SHA256=0491D5E7A6669AA51141FC789B8CE1242714162BB74C9B0CFC64F3A2A659D01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:54.360{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAEAE9C82A07D9C0FAC002F8362E1200,SHA256=F23FF7B3DFE55231398952BB4231C127F7DEF337C78FB97AE6D6F0B5E0847547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:54.360{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84999473B69637F5E4A1FFDEEE4E357C,SHA256=3264F99BBB2C3279CB97C65DF11EC60AB9D289A5868A0794C478BB4CFC84A423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:55.659{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70031E8A4D17B6C27B070A0F2E507279,SHA256=0375028DABD9C4F5FFD725923EA560AAF9CE2DA953D60A7CE478C315004C8951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:55.516{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66477E1F1654BB9DBE381C3CCACBD20,SHA256=C8CEEAFE7B4660D7C218206741083F3BF21F4EA46873D6AD0AE37C64296A2FEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:55.174{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-44677-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x8000000000000000425032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.674{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C20F73581EEDC68F14AC007F35DCA82,SHA256=93CC9CD13C17DB19E3F7F48D766EE2057B55183D637820E3FBB7B421D71FC40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:56.644{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211020070324-1588MD5=A81BA841D220B8F739A199087B181CD9,SHA256=2A143F747915C1221F79F692BBB6EF94C042925C50D9A904E140C72E2A297ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:56.517{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED52A8DEDBA9BFA03D80618037E22F94,SHA256=A7E9B3E305C9972EA66B3FE9CBCD64D2A7E4844F62EEBC82DCB18F9F5339A681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=236F643E75F462F8D19A344C4B4E645C,SHA256=C7084BD40341EC5EC7A70ED1A6F8B1DC32EDD55636EEA4EAFED0523BADC031DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=06FF0A9FA0EDEE663B3DD0F17B01D4BD,SHA256=A8F897FE7ADC84AAA5E17C6CC342663E32C3ADCDED835B141B200DFE593269CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=F3930BF769845717370B5795318CA981,SHA256=E6AA2B181AEC392EFB55BAEF95F2156DA4506B5A118623F460EA96210981C99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=44B3CFF7A4E6EDD33A8A8AD9ED65891D,SHA256=8217687ED9E232F80AFEE44593A3FF4F4B8035FFD26B6CDDD67C424F1982D547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=65C011E02AE158BF305F557F628074E1,SHA256=F07EFE2F76DE33C9D27C98BF37E87193CC3E50605E439221CC3B2F75799572D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=9441C3FD418198E6DEC2BCBDFA2A29E4,SHA256=5C71482784AFF9B3B0496ECE535F1C6939C277EDF830CC731474D37B0803F1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:56.028{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=2E2648DF7A8CB6F1DACEFD032E738505,SHA256=94A4378258E0AD55F54E196CD69613186DB92B7E952800BDC33BCC670DA2E397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:57.741{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E834A9F7B4D220C5EA50B5DBF4ABDEE0,SHA256=F9A1CEB53860FD27304DF99DD8FA284910188A62FA6A3243F977F7B7C66F3E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:57.658{6F8252D3-BF3A-616F-1A00-000000000602}1828NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211020070322-1589MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:57.532{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABE77210EE657FCA6420DF0B29E9C34,SHA256=BE86EFED22B16D05EEB76312362E760D233904B13E2F51DC50EA4C2E8F731F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:57.657{8D4DD44E-BF48-616F-2D00-000000000502}2316NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:58.534{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5C594E7FB947DC938C1DADCC5E1675,SHA256=28CFF9F39C73498237413D22A865591ABC341C5DE644DBA2C3AFF68B21181925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:58.742{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA446B67337CC32ED5964F79CDF03AFA,SHA256=16F2193D6A1BBC89BDB23233432D39D89DF4EBBE41E0220D33B54443DB16D45A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:56.185{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53443-false10.0.1.12-8000- 23542300x8000000000000000425040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:59.873{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8E7A2F8D5BAB29F7008AAA82A1E870,SHA256=4B7E029993DD7B640A3E968FDDD3BF86A592B80B40945322A803C01F3AC5C705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:59.873{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAEAE9C82A07D9C0FAC002F8362E1200,SHA256=F23FF7B3DFE55231398952BB4231C127F7DEF337C78FB97AE6D6F0B5E0847547,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:59.805{8D4DD44E-BF48-616F-2D00-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62082-false10.0.1.12-8089- 354300x8000000000000000425037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:59.290{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62081-false10.0.1.12-8000- 23542300x8000000000000000425036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:12:59.757{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5661474EE959D170C58710AD9C4EB4,SHA256=11707C5053A84CEEFCB1EB191CCE5B152B1E618237A8773933EAB64799265F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:12:59.549{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969C86097A07CAC056B1CDAC9A44DA53,SHA256=B5EF6AF0D22F455BED66711AC02EC5F41024C8084609710DCE6C56B88CD73B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:00.787{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C1B847EFD056FD22B4ED9C05F986ED,SHA256=2CEF140507FE6E3B73B65D407C57D49DCC76F7012FF9E433D0239CA2FFBE0CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:00.565{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9666223975DEAEA737D81D17124DFA2B,SHA256=E64CB590B7865295751B1AF7258B8B49BD151BF30C6A1A1BBC7744359DAE1E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:01.805{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDC01E1FDD2150DEE3E64378FDFD2E0,SHA256=541E47A60C44F1D2A4A725EEE5E56876A9226501C900134FEBC9CF6A16535B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:01.565{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADCE20CCE32D723FD027EB4DC7E35CE,SHA256=1A4E2817DA738FE404C11F0AE26DF862E147569FB4351D02DF86FF7CF74B20F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:02.892{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3587A48273EB41DE31EFC0C7016FA3,SHA256=85F4746B595FAF63337B172854C5884CEEFCF06F0C59E777FFAAEA0EECF6E0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:02.565{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799C78F5E6D4E5C306C576F593F6F956,SHA256=99503CF24B53D426F99583F72B6E2680D147666D6334CBA807FF62C997BA8B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:03.940{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED64582E7EF60D3FA9F3AB9FF870C81,SHA256=FB44EB17A8CFA4F84C2A3252A8756FA8DD4E0F784531595FB1D52CB6504D564A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:02.093{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53444-false10.0.1.12-8000- 23542300x8000000000000000370180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:03.565{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24A207C3F8CEB0A65F86AF688F6AC10,SHA256=6B16AD9C38373FFBB05B17AA36F08724E9F9662D44E8A4A012F8408C1F5FCA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:04.970{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A66478B55CC256C0F0D39B680D322D1,SHA256=20116EF3D726C2F869EAEE0B5FDFAC2F5B2315050B68602612939BA3382F6C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:04.565{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E967C705EE740A841B4991BC1574314,SHA256=D4614A1ADB04FE5F98FABBBE2EAC5B71B5A5FD2F2AEB92842D7F29420D03C04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:04.409{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62083-false10.0.1.12-8000- 23542300x8000000000000000425045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:04.339{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8E7A2F8D5BAB29F7008AAA82A1E870,SHA256=4B7E029993DD7B640A3E968FDDD3BF86A592B80B40945322A803C01F3AC5C705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:05.565{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27858FF3D66DA4C641113C34D0CC0AD,SHA256=E964802ACE2743F530AB13B1B7FDFF7C9A61062CEFFFE483F7F6617440869307,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:05.493{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62084-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x8000000000000000425048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:05.493{8D4DD44E-BF48-616F-2700-000000000502}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local62084-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x8000000000000000370184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:06.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A50CA213825C2845AD07CE166F960D,SHA256=C44EF63B2F601CB97125A2AA66BD124E0B267CF074A62F47446113018B7C8C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:06.000{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D382BD2563DDBE85EBD693C3397D711C,SHA256=CBF14203BC2E66065D75A32474B80CD2D8E3EB6860358B2EAECD31139C02D7A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:06.148{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-19199-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 23542300x8000000000000000370187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:07.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD1925D6955A675CEBC36D8E5D03CBB,SHA256=8243E9DC75FDC579E46D54AABCCBC2F7CF771B1AD5C155A0B9B5DE43CD6311B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:07.017{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81242AB9E798B725C36CC12B233F8E7A,SHA256=4723CBD836410B3F9088E93570AD9403887CF28ABCAFE8A2DA4C0F51A7B5FD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:07.221{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33CF8F7ED0690D9ABCE6322FFFDC38A,SHA256=33EC316B77F2D81A4DB387FD5D87D66C7467E4B6B3F9440BCD1D60E8E59E4C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:07.221{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EA30A7A7D5FF221B9A634446C518196,SHA256=F2CED7AE0F93C92D5358D5F1F44DCE15DB5ADE71F6D30FDF173C799470053117,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:07.108{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53446-false10.0.1.12-8000- 354300x8000000000000000370190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:06.227{6F8252D3-BF39-616F-0B00-000000000602}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53445-false10.0.1.14-49672- 23542300x8000000000000000370189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:08.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3D6A5597447DA053EDE8F11C995ED7,SHA256=6E57F29D401B844071F0B99F20F5B9E77B2A1F4857C7D8D8E90B48EF596211E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:08.381{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-53445-false10.0.1.14win-dc-185.attackrange.local49672- 23542300x8000000000000000425052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:08.035{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B81D86BA8E7284927549FAA8DDB24D2,SHA256=77798F4D9559DAD1D800F595EB1FAF2119D7E34702D5D020664B2BB0EEF0353B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:09.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794693C998691A2AC8E0739F422E292E,SHA256=5D2F62733C35E9C0D24A3F1A626B1F54B34795DCBEB369FA4B141D6D82A5E514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:09.066{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253692BEBDC4C81D55AE7298F783E30,SHA256=A383242F74FBB7381795FE188180205E881C0A34A135426B11CDBA98CC0388C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:10.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE7A2433F09CE3715E44E328744A9C6,SHA256=1B1A1AA871545B5D05B63002E4CA35A82E20CA4AECFC42F9F55300C0093855C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:10.080{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3CC1E491266DBBBDB616A1D9E45BAC,SHA256=59B2289DA173EF2D6F19D35031A6447ADE4B2B9E36152F42F732688D02BFC9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:11.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26DFAC4AC4556A5B4DECF1AB165C617,SHA256=7D6BB9829539A00B1A237F6FDF3B0BD9DD397E91FAF98BF563CB7A3F8BBC9C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:11.166{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211020070339-1588MD5=2A95E15163FABCEC3B152BB047787C28,SHA256=3C5C267F24D985E7A1E963E48D816AF99F14C89EC5204D83B6F6B620484B34D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:10.299{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62085-false10.0.1.12-8000- 23542300x8000000000000000425056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:11.095{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D956D3BB56AF6CDA85AF6BB01DB8A98,SHA256=52AC631B840C792131CCB3C293EAC2AFC34FB8DC8F101212F462E6C1E766CDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:12.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4DC7EBC7AED7F17E077FA45EF31587,SHA256=7F39C80BD06BCBBB153D71ED5E45F44A1A439CFB0AA0C7E0AC001D053DB4465E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:12.179{8D4DD44E-BF48-616F-2C00-000000000502}1188NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211020070337-1589MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:12.113{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DAAF57F5A51C21BB970FF6A979A829,SHA256=7545F3B1C5D59437D723F874418A8F7F906EB82D550102D6AA5457ECE15D7B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:13.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A41E05372CCDAD78B47233020FB8741,SHA256=1467740DE85BC76A0E9DAB947FFC866BE32E76341575C7DBFEF6D532BCCD9C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:13.131{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD813B6DC4F6BDF8060A5606DCCBFD9,SHA256=FD5FD94441F175E7A22097803D8CBAF2DB4FA700EB63D1B1313D5A038DBFC95E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:13.089{6F8252D3-BF39-616F-0F00-000000000602}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-36916-false10.0.1.15win-host-470.attackrange.local3389ms-wbt-server 354300x8000000000000000370200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:12.218{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53447-false10.0.1.12-8000- 23542300x8000000000000000370199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:14.580{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63F02E27014BBD97240FCD851D315AA,SHA256=938DC17F9C252F52049A950B9DC1E94768DCB2CB900F7D73566479A8AD7CC6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:14.162{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD891FDEF6BAB2B625F3FF4BD9A943B5,SHA256=DAE5000BAA2FD15C596B17D83CDA0F18F86AAC6C6E108199FFE6D2009BC183FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:14.159{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC1255E2CBF91275EA50EE1D009FB85,SHA256=5C6C2B6EBCD3C0B457515FBD2BBCBD1D060D9FE37A640BE554C6BE281D2B91C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:14.159{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33CF8F7ED0690D9ABCE6322FFFDC38A,SHA256=33EC316B77F2D81A4DB387FD5D87D66C7467E4B6B3F9440BCD1D60E8E59E4C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:15.595{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECE6863BDA354E270AA3027EDD78605,SHA256=F002853AD4E7E0218E4F0EC464AC778612AED6367917397618EF652E34996CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:15.395{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62086-false10.0.1.12-8000- 23542300x8000000000000000425063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:15.177{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19F169E347DA98F8009CAFDEDAE79AA,SHA256=B02709E6C2FFB9B0BDA6F11D7FAAC8531C8AA1C34B12A31562962B51F67B6228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D3C-6171-472D-000000000602}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3D3C-6171-472D-000000000602}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.814{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D3C-6171-472D-000000000602}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.815{6F8252D3-3D3C-6171-472D-000000000602}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:16.595{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC9EF2C0F23FD100FB2D46A833AF955,SHA256=80D644241BA871CB3A855423C6A63EFA3975DBD12247292421CD80B23F83C443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:16.191{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DB35381B29FA8B932E7EC439661853,SHA256=18FC503E0C8664933897589ADCF5318B91C60803F98F123F17BCE976015BAF78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.861{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D3D-6171-492D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D3D-6171-492D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.845{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D3D-6171-492D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.846{6F8252D3-3D3D-6171-492D-000000000602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.830{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC1255E2CBF91275EA50EE1D009FB85,SHA256=5C6C2B6EBCD3C0B457515FBD2BBCBD1D060D9FE37A640BE554C6BE281D2B91C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.736{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFFB1FA31ED9D207F47ED5100B4055C,SHA256=4E74976243246EF74C2F1E779BDD5874B2F87A3E2D7D4D3C8A4FF2E46C714F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:17.209{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCFB1A901984D1BD385E8BC7EBB2929,SHA256=E785D1D29B1E9A407091A84FFD0A9B5CCF69C7B8CB264B6CB62FA8F6AA1C686B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D3D-6171-482D-000000000602}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF38-616F-0500-000000000602}416532C:\Windows\system32\csrss.exe{6F8252D3-3D3D-6171-482D-000000000602}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.330{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D3D-6171-482D-000000000602}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:17.315{6F8252D3-3D3D-6171-482D-000000000602}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:18.892{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB33775D32B7BA7EAD90B1A534303F1,SHA256=97DAF7A764BC4F23B746E36B7C8F4567875CFB7DFBA80B35C60398A759D19D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:18.259{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF395B9AA723AA9FDDCAE15D9B167B6F,SHA256=4FBBC212EDF8670C23A0F0C01F5FBE013439EAC965385E19B447AF8D2851742A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:18.861{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DAD9510A83F45E222E432175974114D,SHA256=7649883F4EF377253CFB836E060777D34D010C7728558AF4451F832749F7FC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:18.017{6F8252D3-3D3D-6171-492D-000000000602}16683932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:19.908{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C177897224790BC49106C34FBC0743,SHA256=C143E5ECA52A7E186D0DF7A9EC44D837F9E360D9CF3A3345115449A0FBC4F49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:19.289{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9EBB714E67FC7F5151DEF03DFC5636,SHA256=E161C29892A2B1169E2ABDAF1CA4D6D5D24FB48B4F15C3BECE5F81158710611B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:20.307{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800197117566476088ADDE73D693FCC9,SHA256=76CD6109A9518BBE3E9A0D4044F9DEFC26B5A0B455DBF8CA88372ACB33DF0C98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:20.408{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62087-false10.0.1.12-8000- 354300x8000000000000000370250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:18.076{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53448-false10.0.1.12-8000- 23542300x8000000000000000370249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:21.048{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A3DA6F30D31F2FFF534505B68EEEB6,SHA256=BC40FCC0B2E92711DA56DE02D3EF36C9134A35CDA334FB4468E95AB28F311B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:21.372{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D964FDCE8F9746900B89E3D878BE898,SHA256=FD2DBBB33E8D7FFADC357DE64BE2ACB3382B58553CB04AB9568E936E50BCFDC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000425071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:21.056{8D4DD44E-BF39-616F-0B00-000000000502}6325748C:\Windows\system32\lsass.exe{8D4DD44E-BF1C-616F-0100-000000000502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000425079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:22.387{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7910788596209F4BFDB2CCE9A476E84,SHA256=C755B770F1A6C3395D85C1F159D7973C60290E5E07470E33DEABD7478E33BE98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D42-6171-4B2D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3D42-6171-4B2D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D42-6171-4B2D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.830{6F8252D3-3D42-6171-4B2D-000000000602}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000370265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.361{6F8252D3-3D42-6171-4A2D-000000000602}35761004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D42-6171-4A2D-000000000602}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-3D42-6171-4A2D-000000000602}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D42-6171-4A2D-000000000602}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.158{6F8252D3-3D42-6171-4A2D-000000000602}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:22.080{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F27717AD79F5318AA2292DE0CA25EAE,SHA256=85D4E71C5983A6C5D7CD0AEDB76C778A0BAF3AD316308B3DF3797AF529022790,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000425078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.222{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62088-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x8000000000000000425077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.222{8D4DD44E-BF1C-616F-0100-000000000502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local62088-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x8000000000000000425076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:22.071{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E899AAE20E52709A4199F093BCE21AFF,SHA256=83FB80CE0F690110B353777C24816309AB9D91A74DE2DD24646C7467C0F62025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:22.071{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C078710C1CF4F3E9AC6E1127C3523A0,SHA256=D4BE9BA56877AFF06123B8992C56FC80593284965FBC9AF2BC85E5719EB789DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000425074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:22.024{8D4DD44E-BF3C-616F-1600-000000000502}1292404C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000425073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:22.024{8D4DD44E-BF3C-616F-1600-000000000502}1292404C:\Windows\system32\svchost.exe{8D4DD44E-BF48-616F-2F00-000000000502}2272C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000425088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=71AB5F84DD3AC5FF643A8F4A1BEDEA33,SHA256=D5FE3C1450C365408122FF233EAB8AD3384005F328C74847FFB5A2AAFC9ED614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=1256D0ED5C0801FD691FAC04D1728622,SHA256=D47712DEB698E67422DBD0F822756678BB54CFF5F3204CA073097425D9C2024E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=3EDB78F3A300604290F4DA1A2CC2B80C,SHA256=8AB8E939B084721841C7241EB6D61DED820D4B1966869FB3FD5C0EF68EDC8091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=0C729253E8A8572C92EE0141CE81B0B3,SHA256=C5EE4411B2B9F339B0F50FBE2C72EE60AA4D9274AF01FDD442CA7BE060EAA302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=4D576F136C22E6B5B3DB797C6805962A,SHA256=60C8F61FA82AEE208ADFCD0AFCA7B31680312EEA5E873B04C716725444BB0F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=C8A1CBCD01AB86BF90C8C0FF8C8F4DB1,SHA256=7D556AFE32365F2CA3205B9F1ACABCB408DCCD141190FBCB62B38C14601DF6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.954{8D4DD44E-1AA2-6171-1D2A-000000000502}408ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\82qrykky.default-release\datareporting\glean\db\data.safe.binMD5=408AE4B5306FB62C69EAC70392AF098C,SHA256=DEE73B88EC66EE5760A47ED33D407507EA8D6853FE4410672D84D1D5332DFBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.423{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DB2FAF01D4A929466CD6D87BA70A63,SHA256=FE4D951076DE8E0BBB4ABE970C64600F6635CADA29F9C2837695B069016D5533,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.689{6F8252D3-3D43-6171-4C2D-000000000602}2540708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.517{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1C71136A5076F3C2BE60A5B69987E8,SHA256=8D09F72BE2FA92A377BF8067624624310D3A8ECF7236AEC939F2FC04B4F6F1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.517{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BA42D3FFFD1A4198570C6A2F0D315C,SHA256=E1AEA93BA42B310FB7B7DBF6ACB156631E3E87C179A119ACA196571FFFD1BAFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D43-6171-4C2D-000000000602}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF38-616F-0500-000000000602}416432C:\Windows\system32\csrss.exe{6F8252D3-3D43-6171-4C2D-000000000602}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.501{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D43-6171-4C2D-000000000602}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.502{6F8252D3-3D43-6171-4C2D-000000000602}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000425080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:23.667{8D4DD44E-BF3B-616F-1000-000000000502}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.158-58927-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 10341000x8000000000000000370279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.001{6F8252D3-3D42-6171-4B2D-000000000602}15683252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000370310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.642{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70417888D8D263001F82799157A2F317,SHA256=E72D47FF650F5D0B361EA152D2D256F9159010C05DE6F030E94D689572D53FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:24.438{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1413BB22BF7867834A4037174ECE00D,SHA256=DF2B7BB8C4509FF05A14BB18F077FA8A5CCDFE4F589596D0C2AB931956235851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000370309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.517{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B747436CDF72C7C486F5284FFD867CDB,SHA256=788A4D670F23DDBE5D5D3B01F4E00471369AB18275F04EEA319BFE4AE7DEC152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000370308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF3B-616F-2B00-000000000602}28842904C:\Windows\system32\conhost.exe{6F8252D3-3D44-6171-4D2D-000000000602}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF39-616F-0C00-000000000602}7321684C:\Windows\system32\svchost.exe{6F8252D3-BF3A-616F-1D00-000000000602}1972C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF38-616F-0500-000000000602}416984C:\Windows\system32\csrss.exe{6F8252D3-3D44-6171-4D2D-000000000602}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.298{6F8252D3-BF3A-616F-1C00-000000000602}19643968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-3D44-6171-4D2D-000000000602}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000370296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:24.299{6F8252D3-3D44-6171-4D2D-000000000602}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-BF39-616F-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-BF3A-616F-1C00-000000000602}1964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000370312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:25.800{6F8252D3-BF4B-616F-7000-000000000602}3200NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E2132E3C9965B76BC52B2026C08068,SHA256=7E1B80810FF0EFDDA9B45539ECDBE11934F6540CA51F0C4375D707CC0329C9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000425090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:25.453{8D4DD44E-BF5B-616F-7700-000000000502}3408NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C31AE252871A767A49B40DE8452214,SHA256=94CAE0631C941C798CE9A44868AC69940150ECCC040EB948044082A927D7D92A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000370311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-21 10:13:23.154{6F8252D3-BF44-616F-6600-000000000602}3016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local53449-false10.0.1.12-8000- 354300x8000000000000000425101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-21 10:13:26.265{8D4DD44E-BF54-616F-6E00-000000000502}3536C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local62089-false10.0.1.12-8000- 13241300x8000000000000000425100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000425099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05d51a21) 13241300x8000000000000000425098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c65b-0xe76cd14c) 13241300x8000000000000000425097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c664-0x4931394c) 13241300x8000000000000000425096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c66c-0xaaf5a14c) 13241300x8000000000000000425095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000425094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05d51a21) 13241300x8000000000000000425093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c65b-0xe76cd14c) 13241300x8000000000000000425092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c664-0x4931394c) 13241300x8000000000000000425091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-21 10:13:26.068{8D4DD44E-BF39-616F-0B00-000000000502}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c66c-0xaaf5a14c)