23542300x800000000000000052458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:37.752{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCE07F4A882E523F768918EEB97DF54,SHA256=062A26603D807084DEFAC1B17FE53D233F709EE46872E67A28DA34E4899DC2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:37.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA344957F46C503EF245AF9C9A83565,SHA256=7D097C861CEAE81405509F00D161749CE7D6F8EAD996DF20DC0BD97A22FE7CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:37.008{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BEC67FCDC87C0D25EF757841BE19A2,SHA256=D081BFCC29A595BAC97DF052D2A65618DF848C5876715122B1F59260772EC00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:38.908{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4783CA32C21F0BF56202D86EE80484,SHA256=906FDC43150FD605299F0CD548C58BC5A95D919826C04BBDFA68CE4C7DE66E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:38.055{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCF3081D8B2172B51BF99987B054F44,SHA256=E8AD310BF549A6506301420C5A600364224B846A99BDBDB34A4B36A2026DAC2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:36.114{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50061-false10.0.1.12-8000- 23542300x800000000000000052461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:39.940{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752864FA4DD5E9A88F405CFB5752A224,SHA256=F4F0E7447634826A6C87B06540BDD9AAE7264899A7F0B3D44ED8143A19A9FB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:39.149{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B594125A2EBD96E323F61883C107D3,SHA256=A9F8A48BEB0112CC8121B8554C2A01728B4C711C8D8B32BE84EE910BA8628344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.971{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8497FC22BAF53613F8D772E0E91551,SHA256=4FBEA9FED0B84848F2744EAFEDD37F81061D7CCC90A1E893DEE69F5BB4306B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:40.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44613196067F12D25AA82821469062DD,SHA256=C5E71CC90CCA547984C813276BA752F99004C0F47761442525D93B5C490A545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.393{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45735BB8722BDBF4DEE286B0B4D30EB8,SHA256=0F711E0F3164AD58FC34FF5D37F1541B56E7A9FCC55BB8C8905CDFA9206D95FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000052501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000052500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A3-616D-3609-000000000402}48007072C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A3-616D-3609-000000000402}48007072C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.314{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000052497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.314{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000052496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000052495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000052494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48006004C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48006004C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.252{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.252{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.221{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-79A3-616D-3609-000000000402}48006056C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-79A3-616D-3609-000000000402}48006056C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.174{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.174{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.158{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.158{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.158{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.156{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-5BA8-616D-0C00-000000000402}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000052522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.986{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AFC6355258D44191A5DE8B09B0D3C7,SHA256=363BBCA5CD36C69A7F61A9B7AA53813292D0AB745F991345AFBDA976E057B588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:41.180{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1704C6C3FF7696E2450A9DEA72E21A14,SHA256=D992AF9CF9E7924D62ABFCBD15350FD60B013CB44D6403E913DF568FAF4A49AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48004492C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002324C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48004492C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002324C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.158{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384EEDA5DD16019C579831D3221936C5,SHA256=44B8EC179D54B46BE8951EE7F62890A16BE20248D425D875770E0E50C9905DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.158{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F757669DEEC9243D917F987EA92CB73,SHA256=FDBF364D547B2B276B10426AA06785A5806F14AC3A2E2D6971B4DA96C0C69441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:42.096{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-18_141636MD5=82D4EB6900240FF95273ADAD50704314,SHA256=CA27C307D44DC4F6A4565B54649935E70AC566EF2EA988BC6F142B2660C14480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:42.350{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-149MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:42.183{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292C6BA1A239E3BD5913455A9E18EAB7,SHA256=EFAF5C5445C2E8E17AA94302FEB9101115B1F5C31344F2178E2D3EE0816EC9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:43.331{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-150MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:43.189{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA3F81CE29A825BAED49581403A95B8,SHA256=F86733618CE7DB582FE06A906CFE102DDED34AFA89BDE36AC1C28A865099BAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:43.018{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB769DB8021EDDD50BE26353CDD5C791,SHA256=E9570906F8E2D4F0A8D2D5C701A8BDEE62EE3BAC8BE5CAEBD56312A3357435C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:40.717{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51590-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:44.190{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1290E2ADB96946578F7B5F966F00E050,SHA256=FA694D3C2B2B84D186B7F9D97E8430DB0F6D90D1489825C9DFE4B9A6372D95C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.958{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50062-false10.0.1.12-8000- 23542300x800000000000000052525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:44.049{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AF49C75C25E844F3AAC0B4D245E6A5,SHA256=87CA2561FFA1D6064A894CF4C4D9DE59F81303C493580A4BCBAB14DE06E33000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:45.205{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513C5102B8ACC832796F700ADCEF6FF7,SHA256=94A686EAABCE786EDF13E1CDE58CC3665B73D21AE7FA4343980E9A1C28589B13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000052527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.096{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40663B0425D011E037E604E2BA6C9413,SHA256=A23874A27D82C270B184F09E91672E05ACE2520E8424278E40B7E4CC97F66573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-79A2-616D-2C09-000000000402}19325356C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.564{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.564{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.564{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000052532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.127{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5713E9F6E5BEA5C422FAC142E456D823,SHA256=11CA1040F054FEF673A5CCF83D3EBEDAEE51E19356E44E3AFE4B2B0DBCFF3AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:46.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD6E1CA4C9A1876E61F9C90CB61FE0B,SHA256=781709626E7DBBFB46D1C9757F8BD34C8A6A490F2A8EF7BD5AED8B3CBDB00C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:47.142{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F467D6EC75A621DDB88870832D7D17,SHA256=197ADA5EF40B4DDFBB3B7D2F8F6572683A076605D2C7381E3B22C65A4C4669E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:47.237{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB96C6BF1599AE1CBB71DF6D802FF7B1,SHA256=7C203602117AF5887A136D5D86FD6FF192DFED722514175B0EC2A1932806EED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:48.252{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701420E634F1259F20D5B73E6C9F9105,SHA256=3A63CA6961F8E3237146413FE5C325822C20769DD7294AEED21CF7AF1ACC1076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:48.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4E40B301F063F941FC1BF72C86CF9C,SHA256=3D39593752534A89712DE22FA3BE88D89DF44989C55517C60A75268DEA5EED73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:49.259{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56077B37B2C757F0DCC502B777D7AA0C,SHA256=587C4466DD1491FCEC31E9332E6E8C20600B2EBD2370AFDD3A243E480EF362A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:48.020{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50063-false10.0.1.12-8000- 23542300x800000000000000052544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:49.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBDA09E05B49150A6D252FBAB7F0DD0,SHA256=0593DECD5BAFDE5C4C4366ED6B5EA0746E8C7D6D69E9ABFF6DB4E6BA42866712,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:46.492{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51591-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:50.221{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFA1B64EE56DC21941FB35595FE2F62,SHA256=A465EFD539848420560FC8984F22106E0F35B8A503DB76F1DF08361EE8777E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:50.275{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543E17A7EFCC95806655F527A27F70C,SHA256=4AB3DEFBAB2ED8ADCEABDE8D98D7C4EB5E2225BC6B45CE8FF47A5545855610AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:51.236{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210AAC6ABD45662F032DE10D6AF5B000,SHA256=F84BD322198E8F1C8CF14DC281313C084222FB79AE343C50622D52ECA59FDBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:51.291{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493C403D59477144F9222F4BBE684ACE,SHA256=650A41D093D2295ACEECD1693A892CB517EAE874E9806361B48E4CA0E7F63BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:52.306{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BBDC372E0356E03CDFEF7505F87951,SHA256=BB3F5897D56834E436CC79696A1466804DAD7884B47DFE2ED8BA6551B9ADBC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:52.267{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C34767DEDCA24ABC62253DCD6F7C61D,SHA256=E45378F76963DE0D1D21DF710F4CB663A2E6E9235909519C93E55A1E6F3AE377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:52.197{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B23E1FBDCF46C6804CB2C57A21107B59,SHA256=0CEAF02326183B19F5C85D3F75B9CC0F0DB043880EFF062D356A018389C9F8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:53.322{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FDC11F463E2F67BB1F1C4253A16B7B,SHA256=7F4EF3DED134BA01048550D2B7857AFFADD1823586D1182C4C4E4B235039845D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:53.267{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193E0CF8D3A71EE458A7C80ED69A7A7,SHA256=17906EC417400CADF72CB60C70B4564A9DF8F91F76E7E2802D3002E810A4D0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:54.283{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4970C051E9ACD635B2E38F3EE52E9F80,SHA256=FB401E8A9682906CBDC9FAF390701031D5CA26CD7C4078910F869F267C3D6826,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:51.749{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:54.337{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE70883076E57A4BBF00064C1474F15F,SHA256=24B09813C03AAEF7D8D7B6A61519E80C0B7632238E4095D3795D3479C5DE95C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.970{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000052551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.314{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F53301723163B45F3576205779EB6ED,SHA256=2ABCFA4D57A10F50B97C84DF8E81C0C30943927BD6552C067FB37F5542EEA265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:55.353{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29ACB57EF078E01F58E298F43A54B43,SHA256=AB0447DB1E6D96B3164BA2C6965F8196A35F3233FF0A64320F47FB93CEC9D11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:56.369{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C39AB629599B61C83BA5878712C1C4,SHA256=B6A4FBC7801D7E3BDCE966C8B727367053B8B618C06622B58F12DD13A5078F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:56.877{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EC16187FD28ACA63A2BCF1DFF4FBA3,SHA256=F063C63BBB44D675CE4FAAA76225E12A88C6E07CF6C24306067B549DC903F202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:56.877{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384EEDA5DD16019C579831D3221936C5,SHA256=44B8EC179D54B46BE8951EE7F62890A16BE20248D425D875770E0E50C9905DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:56.330{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEFB6528212BD9C7FBDC32D22DFB235,SHA256=FA5C9F2399AAD999F4CC35E29C6624AE38ACAC7ACDE6CAD75B31E77ED507786B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:53.975{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50064-false10.0.1.12-8000- 23542300x800000000000000036096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:57.384{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDBE14836FBCEDDD6A7A073F8ED75AF,SHA256=4A62060342D694D4329EC3A33B70BC15340DF20DCEEB658107A6815BBC4BA4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:57.345{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF0C2E01214D6B6A607BA010269CC7F,SHA256=1C8AB4C920DC8BFD4266FAF072AD3E48D501EAEC0727F0D18B6FB36EF5DE3C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.836{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50067-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000052560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.734{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local50066-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000052559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.734{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50066-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000052558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.726{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000052557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.726{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000036097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:58.400{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC768041ABBB665E5FF62C8CF9140CC,SHA256=75317D4C8818DE550C13DB7AB0F80F7135CFE9BF5199804603DA1B523364B2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:58.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BCB2EF669EBEB1031B35EB1D7E6787,SHA256=3F56B2783211543696304240CD88ABD2AF287BDA0A9F2A196F6267BB143F23D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:59.424{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3DA97AE326D1C72D8673749C1C9D8F,SHA256=9DE9BE34A6CA423954594E70EDFFFEA692B91008F7B98288E23236ABB243F581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:59.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9CC148486BBC4076E9539F86A30D4E,SHA256=4250E4B38CD1541CA837B40F817E93056C54C2CB95A481744C816204DF1B3407,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:57.670{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000052564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.836{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50067-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x800000000000000036100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:00.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3983F08F724C778D5DF2E502298664BE,SHA256=E7508E0AD4739EC6BD313BCED876DC6555D41A84E2EE2175A15BD562EA2DFB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:00.455{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3640C31A997F4E746B28278F03766FC8,SHA256=BD24C84DF874FD81193A03CC9C35872059CBBBF41961A9B48155AC1A85BF3D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:01.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFF43F38589280F92A12C0BEA974B1E,SHA256=CE3236EA3868DF5B53E5BBF20419C46FE4976D311D7C4A51589D4EB445C3E62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:01.470{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3583FF17A2CC12D7558149D9AD1A663,SHA256=B6EB6EAA991985C99C02A5C873ED147CC0CDF62E8EC07E967BC4455148DFAE49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:59.052{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50068-false10.0.1.12-8000- 23542300x800000000000000036102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:02.462{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE82B75EBCE1E0CE169F2C391734DB9E,SHA256=39874A03F371161E93D9AA2F507F594434090A810E3003203931FFBF9FF854AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:02.986{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0203B0C4D98AA8490C9BED84F67EAADA,SHA256=3C72852C17C7A7BBF7E7489E2B0FBDDA6C576611FC5E2DC4A32B676A5D56B056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:02.486{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B9C85B081E73D6781807DBBDFFF3C4,SHA256=39A417B2A152BEEFDF952012B9AA7CB00F08D4BB706BD5DFFB7309D650F889FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:03.595{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FCC2B11C46FBA00CCA69427B5798CE,SHA256=DD6A36531D64A60611EDF81DCD5ACF62905C153AD7D2DAC4494BB4AD992FCB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:03.494{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2650A4D17D817C6E0E5AF636AD1D082C,SHA256=8C74903FA0A2ADBB000767BE77707E571897A7671F51E00B1E57BF62AC17EA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.627{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223EA9A6B36E5600DB984A2BB176C9CE,SHA256=03F344026E3C2FF44DB2F2AAA2B918840CE1FE89770610604228775025243CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:04.556{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CC3EC5E7F8793DA45A8C3F2D290024,SHA256=AEAAF1026E393F42CF179D2224D8BDAB3B004F43E73AE07EF2EFB808C0AE0F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:03.529{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:05.572{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952ED3F895B0FBBBB47A8CDC3FFC4BD9,SHA256=D4A4484570E52B9DF85E95DD408043C9C63AD18118459F11BF6615BC03064A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.642{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5D9BE39B61D1B7F119E9462E8F4B91,SHA256=B0665E42A0525BF4F34F4F44B62EBB8D4D919D549277628746D02E45D1F26B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:06.619{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B397FDFEFE0F9D00B5BB5C1504000F,SHA256=33FD94B438A7D083C89BB9023FFA4C3C32E8264C307ED5A0762CDC3B96269FAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.706{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.642{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D708C7CDF6B565195122BFCFDA7926C9,SHA256=E902A8DE40BE98874D2AEAAB1EE2AD0BC4D9E41E524E4F0B7C96521456310991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.004{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50069-false10.0.1.12-8000- 10341000x800000000000000052596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.220{8D4DD44E-81E2-616D-6A0A-000000000402}47246972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.034{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:07.681{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F7A084CEC0A758FC94D2CDA4308BC0,SHA256=616049BB7A165989E25AD828B79C7516076A2E253F1527F5BAED15EC565171C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.878{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.658{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A027B5E06E5C58AB12A299C26950C8,SHA256=46B4CD804A1CA0670A9E91BE5B5ADAAA3D0DF369FD67BDD1677109A48485BABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.064{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=047D6F356BFFAF43D09E1E1B0EBE13FD,SHA256=48F8F439D83C37FFCD92672C433788C1F1385ECFB5D42A19FC150BBF87C3146E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.064{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EC16187FD28ACA63A2BCF1DFF4FBA3,SHA256=F063C63BBB44D675CE4FAAA76225E12A88C6E07CF6C24306067B549DC903F202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.929{8D4DD44E-81E4-616D-6E0A-000000000402}3446696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.727{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.663{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD7A57AFEBCF99D6ED5DA5E52F8B18A,SHA256=44DE0D3F721051FD26FEDC571E1A9A8336FA6C71277B965CA61195A71835357C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:08.717{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BECA7A332F336749E7709055B6BADF1,SHA256=86C74D7EF658F6E8EB92137E017CBCCCAD0900C4E3FB6DA4975E752EDA23C00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.554{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=047D6F356BFFAF43D09E1E1B0EBE13FD,SHA256=48F8F439D83C37FFCD92672C433788C1F1385ECFB5D42A19FC150BBF87C3146E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.064{8D4DD44E-81E3-616D-6D0A-000000000402}69847016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.960{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=707E0DD472C1F967EC860876E2683532,SHA256=4D83679D74029CECA21659C57038D299C830700044D3E97078E13E6092C66F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.679{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F7B47AB7020146C14C60FFA1222C4,SHA256=4E4E95CE317E7C299264A5E891CAC8A1227CDC471C4BE714AB64D70AEE563422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:09.733{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBF316D46160E4874BC8CDC492D61B7,SHA256=BF319B60BE2BC8CEEDC55B9E56448E794D922313E24FA5BDDED535DBD168F30C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.569{8D4DD44E-81E5-616D-6F0A-000000000402}43486956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.398{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:09.327{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:08.800{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:10.748{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7232E76B2DC248C05E9A830F10CF5C8,SHA256=58D0C378F17C0F0A9BA500F1ABF3CF70A6E3BBC5199411678E2CF6C0D6FEA900,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.400{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50070-false10.0.1.12-8089- 23542300x800000000000000052650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:10.694{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7716FEEE860A5EB8BC9DBDC638DDD0,SHA256=D21D2EBC11624304B52B78D38B1F8D4C3634F9B448E5AD657C7D5A6104A43189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:11.764{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF709A9A586641BF2FFA7EF4956DAC8,SHA256=222BBB1EE51AF5E37D99A21BAA1A7182008B97FBD9E992300F4627DC993F167B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.773{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.694{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD45DE93F74761E8D089BF823EFF3BE3,SHA256=30E05B6E65D8FB5026A0B763012236B7A777BCBA589810004AF12A03EAD1ABD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:10.963{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50071-false10.0.1.12-8000- 23542300x800000000000000052672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:12.788{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C69CDC4CCB07EB18EAE1EFED6A5C523,SHA256=44EE1DFB036BC8B8C6F9AB3CF0A0C8F17B2080AE4B9E40164E376E8BA87D67D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:12.710{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361F0B4335D868A55810954584656F42,SHA256=F453ADAF9ACF020F2A64DBFB9B99A811EF8FFB7A39C01EF5280F772624C98845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:12.780{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69651D32436A74B64F36C6E3E1E332C,SHA256=E5C3C40809950B9A496B2F80EA4A5FC05EA0957D75BC1D0950D9738DFE6D96FE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000052669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00957c11) 13241300x800000000000000052668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c422-0x75c0e736) 13241300x800000000000000052667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42a-0xd7854f36) 13241300x800000000000000052666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0x3949b736) 13241300x800000000000000052665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000052664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00957c11) 13241300x800000000000000052663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c422-0x75c0e736) 13241300x800000000000000052662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42a-0xd7854f36) 13241300x800000000000000052661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0x3949b736) 23542300x800000000000000052674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:13.726{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71542328D6CAF1309D69CD0098775327,SHA256=454F6514D005FFB20B4A1E5AEAF0820F2ACA72B692C89804C6A6D2F81E0D686E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:13.795{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9130E37509809DF50410F54C0A61709B,SHA256=47F008FE13039CF36F4588A64E2AA5573575BC091C643B46E5E98BC88DED95A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:09.581{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:14.811{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B00F2527CA3B51F01EEDB66C61DF5F,SHA256=3C684C55C1DB2718EBD2BCB83A52DFDD6848DD520315FB97F844C605E79A3CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:14.741{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E079B9B711C947B40889D3AD46EB5C5F,SHA256=746A15489CF1588CC5EDBC2A8B2D1D6CD2A4B5C86CEBC3D31A9C75CE866D51EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:15.827{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C32EE3A90B2C94A6DE4BE6BEC7A4C45,SHA256=527DDD7725418607E0D82412F78BB45C10FBAE1D22C2C25CFB0F3AD5416E700C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:15.757{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07D0102652E63FE06E3F99298B0BD24,SHA256=8F1E828773AAE4CEAC156F500BD42B5DBAA8335832CEC5B711774B8122D9FA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:16.772{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EB7832CFFCF0CF5018A83F053FE5A5,SHA256=6009B565357E99309C444358C34289320708A2A2AB468046A47199A5ADE74E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:16.827{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D108D56B59B412FDC0FD4A9DD3C46AE,SHA256=2375E5C70A4493E0F96C4397981773CAE051DB469D45EB133F62FA9BC2F4EE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:17.788{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A804D4A07CD311A3BA0A36FD0D72C9,SHA256=582C10E89F949A5BFCF646E28FB48F444D9995CD63EE4E7F4DFC9D70FAC87745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:17.842{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC2BAFCFC5BD6DABDC17CAAA9D57ACB,SHA256=B7E6CED851773233E0A9D799B1B5C7909DBF1CCD7A339802329604E4B02A0239,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:14.690{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:18.858{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6D7CA194059EBA63DDB477D3A20A40,SHA256=62980FE68108013F5DB7C373E8142F76623157A28BBB002F57117FF7B231A40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:18.804{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD1FC51B5415EE5E5DE6966B570845D,SHA256=ACC22530E038F715739164A82BE8A024210C1ADD39FA8818D170A94C1BEF185E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:19.874{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A523F4964654AB100C2E3A70C8F3D6CA,SHA256=E9DF47E45ED3B6506BD7BE926C4A985C985FF2F29B058C2DFE5E54612451EE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:19.819{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C615EEC66295E186572DCC1680D77F31,SHA256=2D155C05E48232CC26CE70207728BA6B6CBCD12BBC887EF36269C1A1BED7DDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:17.025{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50072-false10.0.1.12-8000- 23542300x800000000000000052682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:20.929{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE4A1867E5CEB4750B112A39F2396BA,SHA256=F49D57794E44DA5736DF884D0ECB171305E67E03BE1032A563322EDD58E26742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:20.889{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636B19EB9F8821F79D680741AE2044FB,SHA256=A44302B8099F42F1960ACA766366BC820644782A3D4A91CD84701BDFCBC67408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.945{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3EFA287583D2B43190ECE00CAC74C5,SHA256=1E7EF710D349FAEAF55A7E2056C96091410D7D36A25F36B7F7ACFF199383E9AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:21.905{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B52DC8A29B1A624CD4608DBCCFA5A17,SHA256=9EC65CE6009521AE6674091C1A3DB3F7BB4D73EC7F2AF54E05945534F61E206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.648{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.648{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.648{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.961{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23FEB639F525AED1339F05109476065,SHA256=16DE03F0D3E78D6E72C4DF6D946D587C3B80C20A6BAA29E8D244BFBF58731133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:22.920{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4500FB98D0E7FF4EA7626878CEC47FDF,SHA256=869A005AC6EB77F2F488463A34154C2CE029C3A625DED6DB5C0575E828C9E6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.135{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-158MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:20.675{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:23.936{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF74EBEEE83BCC931C7A477B86261F89,SHA256=2252240B3A64464343A777CA0AD278414297EA2573129C62BB85057D160B8390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:23.978{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63117EEFCEEF26216CFC85F5DB77FB27,SHA256=74A382591508EBD5A480DC53ECB61DDE3EAAFFA21F3CC790F0E088CC50C1FDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:23.149{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:24.994{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B26E485D13842047228DA0222FFE77,SHA256=FB4AADB7E659F11B7A01916A26615A286A0343B12E947756030C9A26511D34DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:24.952{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B8C36E9258072A883C168068F69CDE,SHA256=52D74581BAB745871A53037B8551F7E2215377B749A95CD44B44CDFAECAEF159,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.671{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local55637- 354300x800000000000000052697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.670{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local50181- 354300x800000000000000052696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.670{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63626- 354300x800000000000000052695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.669{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local57802- 23542300x800000000000000036131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:25.967{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48A2D5EBDE7B44014B0EBB01D3D2706,SHA256=1207CA335488E45A4A69016FDDDE79CF8CEA497AE5648B49833D13D6844DB839,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:23.040{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50073-false10.0.1.12-8000- 23542300x800000000000000036132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:26.983{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3B574DCDE6D6103B61AEE3A4E782A5,SHA256=AD0B66AC3F244CD368B33C22ACCE93417AF7C66C87F2A5E8937686D107896C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:26.056{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0695F121BEE07409F0CF4F187BB6A9AB,SHA256=83149A375E65B3780220A1D389BE4A6248CD01E477A74226EA87892C37FC857B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:27.983{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48F1FD6BF19BFC267D7C4D9A1568F37,SHA256=0BCF80A4EB7808447AC6147DEFA6EFD8D17CB412D718EEE82AE259825760F83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:27.087{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D38444CFD1A85568BE545E0B8F17F1,SHA256=A2496691171D4313FE3136E82DBEF4622D29818BACA92C687838BE042150E562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:25.722{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:28.988{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FE6FF7BBC5C7982ADC6BE6BF906F4E,SHA256=E49A76587150BEB4863E653276D5D74ABBB8EDD2AC6D27F39971D14FDF5E3601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:28.119{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37E44A29DE35B80E7DE5E44FB25ABCC,SHA256=5EC5B92C09670DE2B07FBFB4847C11B9ED371CE4439EF90440B56531B868B788,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C457AC54A3F0B91C33B808CE77EECB,SHA256=7D93DBDA317A7ECDB5395FF6FCA9FA142F42E68777FC3B50F0468C10BAA5E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:30.183{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344A15355C141D3B471A0B0D971AEA36,SHA256=1913922199EC8D4766F0A62A8B1CB89524EA01025DB07A1FA576BAF12FCFA2F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.723{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E33C9B04835468C064F89186382AE32,SHA256=2245418FEB9538F50A02C7EB1CCB742A96AA8C0F0CB2702A1926BE8E73D02CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:28.983{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50074-false10.0.1.12-8000- 23542300x800000000000000052734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:31.199{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A26548834E39DBA0D9602EACFFD9BD,SHA256=BA54EC3230EA7CCD7C19D9410F479E4942572424C688B675FD7A6279FFB97A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.956{6F8252D3-81FB-616D-E107-000000000502}14963864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFFC04A230F143E87FB5F795EB8F0148,SHA256=448227CD9A5E513C479ACAA696967ED49F8297F7E0A21EC1317C358BDA80A2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73E91C29B98EB75659848BEDC4CB01AE,SHA256=BDB6C2F260450AB83C7C2F5AEBF1E5C6B585DED4718664BED4041640DE656E2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.723{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.223{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B993001886E1E1EDD52ED088ECAB01,SHA256=C712359B0EBF2DCCC4C9F7ED77B126D4F6A17314E197C14CB5EB5EEEE3C3242A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.214{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DAFA4E9D958DD41F48E732FFD7FB5E,SHA256=39008112F4761ABB406BD19C3089A52096BDD63FCFD84C30FE2AAE67DE8D1947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:32.066{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1F5B7B27D98BAA3438FAF41B79953C,SHA256=DF84ED12A18C0056EBFBC43276B31353997966DCE6E1F5CABC656BB8789FD9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:33.543{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B092C427C4154FBD4FCE4F01D7310F3,SHA256=44E5AA0E89C1B322D9E8C8D35699DCC129A9E38DD4FBA159D038124DA6684B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:33.543{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8110F57FEB76BFFADFB0BF8CF378D7,SHA256=565F6C1A1A495D20252644D3FDC11B1E198544F64290E7C689962EC2ACAD26DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:33.230{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBC6A52263119E5B58E525DC4247FF4,SHA256=CBC9E976C03B2A8CD76E65208A7599FDF73D7CD76BE491C2DBE4825F3883E58C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.644{6F8252D3-81FD-616D-E207-000000000502}31601732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.332{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.081{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C675F4151018FF38854C0D9163F1E559,SHA256=7FAE66147DDD179F866634096D9171534F80DDD70345332B65D8B4ACB5A1CD32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.880{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.570{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.379{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.362{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFFC04A230F143E87FB5F795EB8F0148,SHA256=448227CD9A5E513C479ACAA696967ED49F8297F7E0A21EC1317C358BDA80A2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.097{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351AFA19EA42C01206BCB7BF4B799C0A,SHA256=1BAD157D875E86C4923FEF2D131B9E9225C4F29EDA9631CB1D9F60818BCE6C23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.342{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50075-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000052748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.342{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50075-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000052747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:34.261{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226343742FCA34FBE64BB79EC7D742A2,SHA256=8F393DE693F28F64B5EAA367B800A6D7CA2015EC563F9AADAAD30C4D644159FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.659{6F8252D3-81FF-616D-E507-000000000502}2596936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.522{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2F4E17B2A99A739A8CE23DEF3D1008,SHA256=0C7483891B4EA2D34A4220F1DF5CA289D7C72B7A25A1653E01C8F8948294A921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA8870F9C84C0CDB3E4702DFB25A032,SHA256=3A7FAF035A4033F5558ECDEA52DB7CE914FC1CD84C6B5BEC0342BFE7135397D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:34.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50076-false10.0.1.12-8000- 23542300x800000000000000052750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:35.277{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5E2191F8CF0D51B011FEA8BAF39721,SHA256=0A7F72D0C2C3264A6DA1110FF356F16A8D9071889FC37E352B18510C62BAF12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.019{6F8252D3-81FE-616D-E407-000000000502}39563268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:36.566{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8C846B93636E3B57264DDFB81C423E,SHA256=A0E6DB815527A781B281207C3DF96E94AE0102CF6D571F6F51DCF07306E240BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:36.308{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9A0AA547C8C2BFFAB85E8F7E698C11,SHA256=8925B99467D0B22B5475892EDF394C2CAF030DA44D51D9D281CF731A2D69D21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:36.534{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394D0D98CE9C77BE5496481A92048A17,SHA256=C24C8C3010BF7A640BCFF267DEE677B9C258529E42B9A26B636C29744A14C487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:37.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E236637A50566688A6081055974C73C,SHA256=4CE72D6512BACE6DE39DDAE0CC197398E92062244085F52B4383CD58598475FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:37.339{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D8539BB4F057F8BFB21AD25CC2C6A9,SHA256=A8350CEEC249462DD07F5253F218E60AC9E62C6C2B2330E230A0DD251DDC63AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:38.597{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A3024F1D7066B4D55E0ECEAAC041B3,SHA256=E478AED28F7097BADEBDFE661C7ADF07576B367DA7EBADCE52B1741E9D5E3717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:38.371{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE0EADC3EF093438C0656365AF02F6,SHA256=26B1A978A5B9B8C93FE99545064B9D0AC04EABC2B855E2667965E2B0F870D695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:39.644{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A84D648D34F99CD00A8760ED506716,SHA256=E2FC211345998F994EBCF02ED77F9B4F976A08B00A57CEED0B070330464E5EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226 10341000x800000000000000052812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226 10341000x800000000000000052811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x800000000000000052810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d419 23542300x800000000000000052809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.433{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA994D616D25225868BE18592325712,SHA256=4200E1187BFD31B86395E253DCF92FDB1A930BF6429FDC3FBDB03CC29AD6D12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.417{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6011D2F51F2ABB093B9CCC3644C23EF3,SHA256=F8A4F416D4DA37FE2DC52A25CF936EB3CD211DFBCACF8B621B281EFDA13A452C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8|C:\Windows\System32\SHELL32.dll+13dafb|C:\Windows\System32\SHELL32.dll+13dc67|C:\Windows\System32\SHELL32.dll+13dbea|C:\Windows\System32\COMDLG32.dll+10e08 10341000x800000000000000052769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8|C:\Windows\System32\SHELL32.dll+13dafb|C:\Windows\System32\SHELL32.dll+13dc67|C:\Windows\System32\SHELL32.dll+13dbea|C:\Windows\System32\COMDLG32.dll+10e08 10341000x800000000000000052768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8 10341000x800000000000000052767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8|C:\Windows\System32\SHELL32.dll+13dafb 10341000x800000000000000052766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x800000000000000052765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x800000000000000052764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x800000000000000052763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x800000000000000052762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.183{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824 10341000x800000000000000052761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e84e|C:\Windows\System32\SHELL32.dll+13e466|C:\Windows\System32\SHELL32.dll+13dee3|C:\Windows\System32\SHELL32.dll+13dafb 10341000x800000000000000052760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e84e|C:\Windows\System32\SHELL32.dll+13e466|C:\Windows\System32\SHELL32.dll+13dee3|C:\Windows\System32\SHELL32.dll+13dafb 10341000x800000000000000052759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x800000000000000052758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e84e 10341000x800000000000000052757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.011{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+c5d8a|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2599|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226|C:\Program Files\Notepad++\notepad++.exe+1f8115|C:\Program Files\Notepad++\notepad++.exe+1e4a6d|C:\Program Files\Notepad++\notepad++.exe+1e8bdb|C:\Program Files\Notepad++\notepad++.exe+1e3b11|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 10341000x800000000000000052756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.011{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d78|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2599|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226|C:\Program Files\Notepad++\notepad++.exe+1f8115|C:\Program Files\Notepad++\notepad++.exe+1e4a6d|C:\Program Files\Notepad++\notepad++.exe+1e8bdb|C:\Program Files\Notepad++\notepad++.exe+1e3b11|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x800000000000000052755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.011{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d78|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2599|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226|C:\Program Files\Notepad++\notepad++.exe+1f8115|C:\Program Files\Notepad++\notepad++.exe+1e4a6d|C:\Program Files\Notepad++\notepad++.exe+1e8bdb|C:\Program Files\Notepad++\notepad++.exe+1e3b11|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 23542300x800000000000000036248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:40.675{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4203441679D48CFD00A7210B520154E3,SHA256=D0ED344111BAB15C7EC08870ABC10DEC2010430542A4F7A484E6DC963A4E0AC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.064{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50078-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000052818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.064{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50078-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000052817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.062{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000052816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.062{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000052815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:40.433{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA66C19BAA1B46F51F1084AF02DE866,SHA256=49CB56D07F4EA148641EFE442FF98FFE9C42DB5783E864698F5103E67E938EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:37.538{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:41.691{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C38F4E206FA04867B767EFDA441A51,SHA256=BEFAF50697C11FA86CCD45382C8377FC539B8BCA06D6D3BC78434494FAE75535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.980{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.964{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.964{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000052821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.949{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exeC:\Temp\del.bat2021-10-18 14:17:41.949 23542300x800000000000000052820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.480{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1655103FACFCC6DF24F19CBBC5821FD3,SHA256=E0BF1D76322A0F644C0820A6BC1386B78D6780E97656A53238B56C4CA0FC7F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:42.722{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C718694F64F46C56304EE25F26842D,SHA256=B9A8CA2C9229D55A131167319042F3161F368F8DDECEA0AB8251D2412A8EF10C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:40.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50079-false10.0.1.12-8000- 23542300x800000000000000052827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:42.481{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C352ADD0BC90C190A20F3886116E56C,SHA256=080CABC5991BF2A3ABFEABFC439CCB698463DFA84820B0097ABE93B8CDBD8C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:42.042{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-10-18_141739MD5=44291DF60B49039EE0BD1DC5E3FB7FEE,SHA256=BA08452FD6EB153DA7CC7626ADB6CFAB49DEA9CB874216C184D61A5B5039971B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000052825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:42.027{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exeC:\Temp\del.bat2021-10-18 14:17:41.949 23542300x800000000000000036252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:43.850{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-150MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:43.723{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697D95D7AF95DCA43D6597E24A81E397,SHA256=4F385A9C09B48F80ABED2FC43EEEE821577C0395AF2601A62FA7B33D9CF58B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:43.496{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638DD71CC022F2837E42DA30C102E300,SHA256=C5ED185F6D82CF389C87A17D11D979DFF96409C5393BCE2D4046C2D601D2772B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:44.864{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-151MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:44.754{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B310F41B783B4DA2AE6302102F2BF8D6,SHA256=1EC7B4306D3EE24FAEC13B03A176CFC3EBFE7F2031ED80B360584B5CD4EA8A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:44.511{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FDA2AB0378F1F00EB3F99D153823C,SHA256=633F61FA828D15CB7152E27D96749D3858E1513CA21D67573B0D53F34697BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:45.754{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC01B50AABB9D5BC55F56F14CCB6DF6,SHA256=03E20B51BF7CFF35E665D20A7F412593E334981A67EF8E9CD0EC4171D1688335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:45.527{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A4735DBD255D77FCAD71283C8A5E88,SHA256=712CCB3D073A59193B9C9A5976F7F31BF20404AA8B93D2FD48CA46539DD6936A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:46.770{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06084AB4AEBDB1AEE46E765D8A48763,SHA256=1FB07A9487054A2AAAA09E12F6B45A18354898C66FD28922D0FE62098261C53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:46.652{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DCF51322D0C7FA18BB0D539CCCAC9E,SHA256=EA1D0C7F3F9BE5962BCF32EDE98A34E043E10F8D22E0CDB5723F0AF71CADBEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:43.539{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:47.785{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14425EC236CCF096B893AD2D3A706AC,SHA256=BD43408461BBE5DDC54E4A8AFD524AFBD53E5BAC7A98EFEC223CFB2413C295F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:45.982{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50080-false10.0.1.12-8000- 23542300x800000000000000052833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:47.667{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AAEDCB0BB93342B25755249BC80766,SHA256=EE892767B39885D7557D692EE4BDEF5BA15E2B165A75B6A7750F0F8EF1F721BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:48.786{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF94D5F6549CF010C3D69139761F7AD,SHA256=1EA648B2EE83DB9301535CA864185EB77FECD90A3B58C1F9DFC5A9945E76A63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:48.670{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B91851479287033BF1014F6C8663D98,SHA256=5CEF3DDE26EC09B6CEF2920A6329AF5598FAE2E4D6F695D4E4A5E1BBFB3093B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:49.802{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D33E6EBC6855A65000F99540E0FD5,SHA256=55644087CB9018E4D1EF4DC56507D4E59187AF7FFEE0CB3569606B81565C0EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:49.685{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABF052C9DD5198CEAD2BF2F6868C52D,SHA256=D62BFEB599DF33882788051DC619D40C2512F7FE0606DC37E33900899F757E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:50.864{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7CF2AEC9D337C3AAFB64904FC27A7D,SHA256=7A1DEF873AAF5D2D1D026F32B91221E14A2EE69164695C779B95F950C3A7B0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:50.701{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001D67692EA70D6E8D0E3A0A45EC1949,SHA256=C19648910786472F4042581514EF7D446B7F00D00E4722BD0093FA6B5E0B4A30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:48.571{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51603-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:51.958{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD92206C7B44ACB2FF3847BF980E547,SHA256=F1AB374864298E45E7E2C638CB01703427FC175459EAC3039263F642A201918C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:51.717{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FFFDD1F00B309F460C2F91DF090934,SHA256=2F9ECE8BB638015292949760F46D1B66B236994A6E555CDA3EB3EA74F30EEAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:52.974{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B872867788CBC773B43B5EB7E319C3,SHA256=717CADA56758269CC62AA8D60171F1D16D26F5F5E44B2AD5CFB7918ACDD86B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:50.985{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50081-false10.0.1.12-8000- 23542300x800000000000000052842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.732{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A348AD26D272A143DE1E8F1CAE33C2,SHA256=27D5D9373CCF1B03C866FEDC280DF5908F953F678DD751A048638B9F7802BDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:52.208{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9199187193BFB3116173A216E0FA2E9,SHA256=AFA04680095534BEB7CB0C370A5C2573F3233BE0DE2CFF498A25BCAAA1796DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.154{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.138{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.138{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:53.989{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7DE9B37815EB22F57B7FC9E263B55C,SHA256=F10B168A9C41E36B9EADC80B71EEFAAA066BD0515F4B3F0E25ACB77E0F8DF986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFCC423A16CDACE42EDB300A2EF3409,SHA256=2E9CE8316A23002D8EDC86F7517410B4562428CE6297E150DD231448F9732374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:54.991{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314E7AFABDC2BF9D62FD17745D88B3B5,SHA256=1D160174EE08F3A01B3F4FBB850AECC3610596469D4A75E38A406E4FB68D0066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:54.826{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B1C51FE7CF067354448978ED23929B,SHA256=6FCEA946B2177C3D820B67715F7181FCCD0FD01135BB9F5182D1BB51830218DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.841{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975955CA2ACF1B910821CC8986E25049,SHA256=DEAF94D4DDF75D853ED234CE6EEA624A30DEB618598F53D021D60261C0049CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.779{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.779{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.779{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:56.873{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FA0C0B30F404A1965EBB5EF4CE7237,SHA256=537FB9BE75F11936F018F689B0085B9EAD86B618DCA69DDC32F9904F21CC4A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:53.572{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:56.006{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C773573AFE4C66A1E79498ED226891C,SHA256=E275F319BC3BBC933DAF2AA04CE6D3FBC3BBF3438EF2B0C9A33D0550ACF8C833,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:56.841{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:57.919{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39710677910D80AD2FEE50812EA09096,SHA256=F2C4C4AAE19308C2D807F6873F43B69C7647F128DE5931271FB8840F1730C5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:57.038{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4339EDEA1923E38569322FFCE50C27D,SHA256=5BF4DD7FD2B448D9019648A7F16B70DB7FBD679C6A2228DFC351C9D442CF30E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.935{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B1E7B5C5CE6904DD56E435AAC08B69,SHA256=5A0ED2C7755C01CC05B712911C8A3A678AEB28771506C2E4B09B5D0AEF156884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:58.069{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BEA1CBDCA8186996DB61CCCD1B5796,SHA256=24E46AE25CA32173B5096D3091E172C3D9D5801F25EC6066F663CF91DB89DF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:59.966{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6CA4F9623BC98BF0E45876ACBB02E2,SHA256=6601A81C76D73FF79CF5D7FD9523A242F86A517CC0A4E3F7FF482B760DEE03EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:59.100{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CB162B847F3CC58BEC6F53F97FB8CF,SHA256=07B9DB64F82D4ED6A8CED270B034CDF60F4ED7C0591B027A7D73F4D1141B6995,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:56.938{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50082-false10.0.1.12-8000- 23542300x800000000000000052870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:00.982{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076D95FA2FD451630FC80FE5EB0BBCB8,SHA256=9A9AFAE770C4625B74CCD7962DAB9DBAB82AF51AD7E06FC256BC74AC025F61DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:00.131{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAF604356530BA47F7DFE16B539ADD3,SHA256=DEE30AC8DB78346845D6B6FB2510CBB990ECF0146DD42A7FD552D78F02AE261E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:58.650{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:01.163{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FDB3B552647D92628AE2D79911C0F,SHA256=083819C327703C36FE3C0FDC25AE35286F49F336C0BAD4E58F846290C50EFADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:02.194{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C490E5960A23F2D140BEDCDF1A8410,SHA256=9E5087A983445706549EA9E203C5257BB4CD6CDCB0A8381EB03537F92F59F5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:02.997{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9F9FD94684E5CACBD64B8E4A8B367224,SHA256=DC307E62F73EE7EEC80CA780C73EB7D680B1EA1B7B8F911045633B87001B4D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:00.050{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-185.attackrange.local138netbios-dgm 354300x800000000000000052872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:00.050{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000052871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:02.029{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A967C74432B4D4F75206436A0B5419E3,SHA256=8B8DA00E6259A1A9BE404887509653545FBC09392E84BD88301E1448B2106FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:03.210{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E749E5F37912555C41CF42C73633C39,SHA256=C4ED21638E20F6AF57969C9E96353D34780A369B6D0E28090993CCDAF1A10ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:03.044{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E322F8B94FAF55437AD1FF825506491,SHA256=A815BAA59FFDFDB491F557372FADDF6A724331210DB64FDE36CDA29D45953F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:04.209{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8873DED1FC54DCB3D27BB5E6BC2109,SHA256=F12079CAE067967BC053F9A2378981DABD8BEAEAFFD4FFDEE0EA82E54B22E8E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.857{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.857{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.857{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.841{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.841{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.841{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.841{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.107{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.107{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.107{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.091{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.091{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.091{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.091{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.060{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D2267199D1804D1E4AD9F7E7220A37,SHA256=FE546E57E37E1590B1C5F7A27B602D4DDC888FB38308DB7914F935244CDBE977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:05.225{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99938244204ABC40289FF1F530E28A37,SHA256=C28FA74B4317BE03039ABAEB0D395C2E3D6BC845D77838F0B4AD443DAF23221A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:02.969{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50083-false10.0.1.12-8000- 23542300x800000000000000052898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:05.061{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F932BE8821BF4305716FD09F540D8FDD,SHA256=6531FA8F2F8413FAF30A17ED2A78C9B5A9E8CD34BA52E0B3CB8DC5EDD23BF8C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:04.650{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51606-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:06.241{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55923B81758BFBDAC326E4CB7B88A381,SHA256=866955C5FC1845D597D455E00C316806BE3D9D383D67BD8C9DC934EAD32C9803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-821E-616D-720A-000000000402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-821E-616D-720A-000000000402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.716{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-821E-616D-720A-000000000402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.717{8D4DD44E-821E-616D-720A-000000000402}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.091{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84926F290269AE1CEB1C69B5A23707A,SHA256=B28AEF211CE2A6100C18C4BA477FECD88B04D3249D75165D3CE347D942484C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-821E-616D-710A-000000000402}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-821E-616D-710A-000000000402}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.044{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-821E-616D-710A-000000000402}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:06.045{8D4DD44E-821E-616D-710A-000000000402}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:07.272{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A789AF7F5A925FE59E324E5995E999B5,SHA256=8B34A61C5322F414D5C46B9C6F2437F0B4CA50DDDF67018094E83EA7765B1B8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-821F-616D-760A-000000000402}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-821F-616D-760A-000000000402}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.888{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-821F-616D-760A-000000000402}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.889{8D4DD44E-821F-616D-760A-000000000402}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.763{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.763{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.763{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.763{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.763{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.763{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.747{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.747{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.747{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.747{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.747{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.747{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.732{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.732{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.716{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.716{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.716{8D4DD44E-79A3-616D-3609-000000000402}48006764C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9ab4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175750|C:\Windows\System32\SHELL32.dll+16d62c|C:\Windows\System32\SHELL32.dll+19e808|C:\Windows\System32\SHELL32.dll+16d7c6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000052929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.727{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000052928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.357{8D4DD44E-821F-616D-730A-000000000402}45044472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-821F-616D-730A-000000000402}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-821F-616D-730A-000000000402}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.216{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-821F-616D-730A-000000000402}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.217{8D4DD44E-821F-616D-730A-000000000402}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.107{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0910FFC91F1BD437120B0A16EA2FF15,SHA256=3DC97829EA8433A3303553739A7F40FE0EC480B9041210B2BDA8D9D9E9A6D7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.060{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BEF294730C990F652DBB711765D33AA,SHA256=365869A32B5D6839E848954D5418B6B837BBC30F834DFBE73E84B2622939BC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:07.060{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B092C427C4154FBD4FCE4F01D7310F3,SHA256=44E5AA0E89C1B322D9E8C8D35699DCC129A9E38DD4FBA159D038124DA6684B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.733{8D4DD44E-8220-616D-770A-000000000402}58842756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.577{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8220-616D-770A-000000000402}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8220-616D-770A-000000000402}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.561{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8220-616D-770A-000000000402}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.562{8D4DD44E-8220-616D-770A-000000000402}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.357{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AEFC4F7740BE61DB99C0632F49FBEC,SHA256=C5033045D07BC9134238E5E6C512761F46AFABE05DF0AD9D59AF72C07EDA8A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.357{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BEF294730C990F652DBB711765D33AA,SHA256=365869A32B5D6839E848954D5418B6B837BBC30F834DFBE73E84B2622939BC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:08.288{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB409627C7B2EF969D4A122E46BD1305,SHA256=0831507FF9EEB77D28B6555399F2B8507EEC5FDA76A9A7EC455D983DCDD2F954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.060{8D4DD44E-821F-616D-760A-000000000402}54921956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:09.350{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:09.350{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D169E83D81EF88299F293B0A5B72DFDB,SHA256=020647B5F53C6B6668F30C45109EFA3BE404BA83919979A5E530EF174EA79C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.983{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E171A3059B6A7958F952196CCFCB20E5,SHA256=3614F6A2E969A7F0A88D29CE774B15842C547211B677F36D45295A06D693346B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-820A-000000000402}6428C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-820A-000000000402}6428C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.921{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-820A-000000000402}6428C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.927{8D4DD44E-8221-616D-820A-000000000402}6428C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-810A-000000000402}3516C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-810A-000000000402}3516C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.905{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-810A-000000000402}3516C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.913{8D4DD44E-8221-616D-810A-000000000402}3516C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-800A-000000000402}5076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-800A-000000000402}5076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-800A-000000000402}5076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.899{8D4DD44E-8221-616D-800A-000000000402}5076C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-7F0A-000000000402}4280C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.890{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-7F0A-000000000402}4280C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.874{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-7F0A-000000000402}4280C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.889{8D4DD44E-8221-616D-7F0A-000000000402}4280C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.874{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-7E0A-000000000402}6680C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.827{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.827{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.827{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.827{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.827{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-7E0A-000000000402}6680C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.827{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-7E0A-000000000402}6680C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.840{8D4DD44E-8221-616D-7E0A-000000000402}6680C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-7D0A-000000000402}6688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-7D0A-000000000402}6688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-7D0A-000000000402}6688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.820{8D4DD44E-8221-616D-7D0A-000000000402}6688C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-7C0A-000000000402}3996C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-7C0A-000000000402}3996C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.811{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-7C0A-000000000402}3996C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.812{8D4DD44E-8221-616D-7C0A-000000000402}3996C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.796{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-7B0A-000000000402}2668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-7B0A-000000000402}2668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-7B0A-000000000402}2668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.793{8D4DD44E-8221-616D-7B0A-000000000402}2668C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000053001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-7A0A-000000000402}1156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-7A0A-000000000402}1156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-7A0A-000000000402}1156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.780{8D4DD44E-8221-616D-7A0A-000000000402}1156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000052993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-790A-000000000402}4164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-790A-000000000402}4164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.765{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-8221-616D-790A-000000000402}4164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.771{8D4DD44E-8221-616D-790A-000000000402}4164C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000052985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.593{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3655732C6457BCDAF3255EC725385257,SHA256=87B7738275D750701D16D381174EBF9748DB849298BA23A513787251C6B03367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.390{8D4DD44E-8221-616D-780A-000000000402}47647132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.358{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332784CCEA8CFD98701A04DAF6D46AA1,SHA256=96A8D8D1801CE7ECB1990E591F62D6C4D4317CB78A98DDEF851BFC9B24266F16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.000{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50084-false10.0.1.12-8000- 10341000x800000000000000052981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8221-616D-780A-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8221-616D-780A-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.233{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8221-616D-780A-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:09.234{8D4DD44E-8221-616D-780A-000000000402}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:10.796{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=708632228B48D7D47A9F344C69384A47,SHA256=67B36480FFFBE4FFA3513ABB94577BF0FB49E5186C0E9A799593EFF9120E69C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:10.608{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB4CA748ACA4A63157BC7C92271C010,SHA256=98BD5EBA2AB5364A86C11357EEDE1B576246F8DC2CB6235B7BE7AE6E9BE5AC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:10.381{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285BEE727A4890C9B095894DCE65191F,SHA256=499092CAE2AF3523909F39F656D09EE4B5113770F1608A99193FAB7972480BCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8223-616D-830A-000000000402}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8223-616D-830A-000000000402}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8223-616D-830A-000000000402}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.765{8D4DD44E-8223-616D-830A-000000000402}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:11.640{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE43B8EBCF74ABDCE7A19A5AF469807,SHA256=885D12B198506615610AF8CD6A7248759831646E19D0267F2BE7DEBC85A526BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:11.413{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55AAB223E5BF40C1D7057987BF120C5,SHA256=F85C181E027289860F9FB0B3C5DB1FFDB61F91229E30600D008361C5A45F5258,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:08.424{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50085-false10.0.1.12-8089- 354300x800000000000000036287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:08.822{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51607-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000053080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:12.780{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2CDEE38F2389434C47C9990BB7C7C6,SHA256=D61346103044DB8717FF99BC6FF5D2B71F89360B9A707EC192FBDDC938908B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:12.655{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1F9917A0B81EE02CCB37EC8434500E,SHA256=BDEB82D057D535645008861EAC35CF65219874A749320D5E9510F70BA6ED7AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:12.428{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5267A2EEC7FCBEDD0EDB44B0145F5B,SHA256=DC9DF24EB5F941581C2FDE221C52C001C61E016941D8F1FD8B5F99575DE86B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:13.718{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB74B48C79C88D460CDE55CAA99CEEE,SHA256=2A924ABA347FFDAA5A063B3AE7BFE1D0C09C2611979BC805DCD2E01627C61809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:13.444{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A7590BEF18E9E8843310A126A8FA13,SHA256=D8D7275F6C2B0344E63864F1F3B7C71B6E9E7777BD3543F9FF69D85C622983CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:10.681{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51608-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:14.749{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEED9582A6F061B73E6297511F338E0,SHA256=DE8B8BDB67383D526CF5A0FAD8B5DE13C864853187A267440F5D7FD3E903A439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:14.460{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9BF86CC0A629901085CC7FEF6B69EB,SHA256=5720F5FC6ADDC0201CC78507A325C30D5AC8DA849892631B728B399F4DDA3D58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:13.002{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50086-false10.0.1.12-8000- 23542300x800000000000000053084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:15.796{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BFDCBE7AA1520D15925EFF02D4412D,SHA256=DF488F105F070D5DCAFE7A1B964739BD4AFC225A4E89B122C3A1E77D16458DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:15.491{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB12756B6311B117D813CE02A6D23B66,SHA256=84F28406ACE7B602A3D117F4C2D56DF7FF3C238B79705D62B79B9F8D1E126DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:16.811{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4121E24A65B4C7C9D9C3E0BFA5008CCE,SHA256=48C50D2984834D163D0668EB10E134CC2EB7B9D7E1EC21784BB0D552F1D6931D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:16.506{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52211030AE11AC437B44B4066B446A47,SHA256=D9B8517D508D55DFDCDE446111D96F0046E02AF74FCC3C5B4125EB8D9E3E584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:17.538{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9DE70E2D82CD7D400341C9962187B1,SHA256=110994B2F5900ECD0A9A80A551898C0B1B762EDBF0A9C0B466F5FBF6EA4555EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:18.569{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDE70CE4C8DF4337FD3D2E9B6DB6D09,SHA256=5CDA907550610CA350FC744E492F0878A2E532AC2E5581EFE3B1D386D132E453,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:18.452{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:18.046{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E4784FBA1370554CEB5C0775E99B9E,SHA256=80FB03EA0BCB0BADD059F0F8B8654420DDD47EA23F05742CA4B2BA565443BF2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:15.698{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:19.631{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFF648E9B018285D4EA3878E5350AD0,SHA256=42A0B72574FE381E08B85DCB04D90099DD2802951C96E259ADE3CE66EDBDF5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:19.077{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120CFA14A2247347F3521D549FCF1D05,SHA256=08A29A1F00A4701B9C7370DADFB2C40F8EAF9F6AA2C1569C6E8AD56EDAA5668F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:20.647{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950DD8D592A0A3D3CABA447E872AAEB9,SHA256=E5BD63B699E772909637566D6BB829B7743515489A8EE29F02D3F1204CC87593,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:19.001{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50087-false10.0.1.12-8000- 23542300x800000000000000053089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:20.093{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5B565F806F48905004C6244D71EA4B,SHA256=F5A05A528A73F539DA78ADE6A7F8811CB1E8A50CA488E958A634738B031E36AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:21.648{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04E514694E1BAB10FE1BFD1D2444FA8,SHA256=1522099BC22C681B8433A3AFDCFDA1820D4849B72CB66F11230DA816565CDC4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.561{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.561{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.561{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.561{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.561{8D4DD44E-79A2-616D-2F09-000000000402}42682260C:\Windows\system32\taskhostw.exe{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}4800988C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.546{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.514{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.514{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.311{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.311{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.311{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.311{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.311{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.311{8D4DD44E-79A3-616D-3609-000000000402}48003420C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+3d503|C:\Windows\System32\SHELL32.dll+3d3cb|C:\Windows\System32\SHELL32.dll+3cce7|C:\Windows\System32\SHELL32.dll+3c9ac|C:\Windows\System32\SHELL32.dll+122487|C:\Windows\System32\SHELL32.dll+1223e5 154100x800000000000000053092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.305{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000053091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:21.108{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18ABFD577F09D6A8D6D4C973937E9C6F,SHA256=042F0A434B0649E1104F9492FF361541FE56D510FB21C6A150D2458DEFBDE7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:22.663{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC3321854DF15EEC20CF27637D7B14D,SHA256=A7EB81FFD581822E301A9C23746A7A37170A5B189DF25972122B0D4F99A30144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:22.342{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD6C65E921629CDB5951CC95527D5A06,SHA256=3444A20E71968AAD3EFF972ADF46C63637EC51F42966B80700274C534A54364E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:22.342{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2BA9B50ECC3A8D0619C7DA924840522,SHA256=979BF3DCE6FC90F2BDB22600C31EBF49ACA529DEBBE406FA900A18BCA0F17AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:22.124{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2E1298A6B9FD87F1A715F104E3AA3B,SHA256=DBFB69CE4F9E273ED5241092FED8C4F3592ADA861038AEC8A14A636388D5EB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:23.678{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B884EB24211F934AEC06186B961B407C,SHA256=97C8A6618386E5EA18C5694437F07EA374AB2F124B8E735BC88A0BDE85CEC4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:23.675{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-159MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:23.155{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306B341A40969F1AAF84B897E691804E,SHA256=C8917CA19E6DB636FA7FC3A60A376D7AAD1EEECD0DD78F354D4A8F723E118AEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:21.572{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51610-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:24.678{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ABC69265856E3C3F783DC56DD2AB1D,SHA256=1E63419D7225BC449152C3CA0CEEA232C2ED86D8CD169EA006DBAF7C10DED622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:24.680{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:24.179{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161C2E3036E736DD0758FD203C48BBEC,SHA256=56CB449AC4321C9993D5EBA9AD30CC8CBBCBAFA24881E837EEE3E489E42A1DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:25.694{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F264E2F0B8AABDD1C8E59CF89CB89E,SHA256=32EDDCE935813ECB1869A077B0532935E053579432B0985855CCADB3FFCB46BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:25.195{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A26F4CACF6692D141686B132DDDDB95,SHA256=EE5D930894A55F6FA9B2F5C0194EA2509CBEEB87B2140C667B870C6ECBC1EEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:26.725{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39971D82764223F50802137092B7AE7B,SHA256=CC04DE3E0B3EFA6CFCB024E2F7084B06F8E84B452728CBD3DE3DA67C0445334E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:24.057{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50088-false10.0.1.12-8000- 23542300x800000000000000053122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:26.213{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793D84E49EF2AB243BA857BA2FD3495A,SHA256=B08759E50DE76B032B4D3836A7FCF49D8B9E032BF59A7C748520D96F7D07A765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:27.756{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A165712BD74376BCF57D5E004B493848,SHA256=50E57A619FDA4B28C0A843C8DD229498E328273DAC6A26ECEE2F0081129DE3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:27.229{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AEDB011CE621F6E0DD117E53721BFB,SHA256=00EFFF4A7E494F77CA8AD8EF9CB2C87D13B53034B2B752B63900789EE20607B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:28.774{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F204A0B7A591529882736DBC79FFCA62,SHA256=4DD9B3D580D818D16FC55E3EEE66B413D9921483916C95335134B28466FFA912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:28.244{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADAA78D8749A4959796A31CB4C4D9C9,SHA256=5C6874D7BA5E958D79651B41AA643152C1A5CB1949F6FFCE07098553FD31B770,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:26.587{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51611-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:29.821{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69CB17865F20465E744143AF59CD468,SHA256=B2E49B30614DFDEC83DB6E957A4D563EFFC39915921A2DCF3D068E1CF38F8301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:29.267{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4421C693882CBD6879D45DEA1EA3FF5E,SHA256=CFF22C76B497578F67901CA0EE35EBD74CD2153C693D0E23BB4E84F724858681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.852{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B92ED7A4C439D2E7A5A05B85A972749,SHA256=B024E14C48E4100B1FA917D51AF014B85BC14590370FCC0EB0EC75A060922693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:30.298{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477CDEF26B2936D0F36FE2016C136918,SHA256=E2B41063D48BF0252237DEFA450259A90E8C59D948B23966E92CAB187006C427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8236-616D-E607-000000000502}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8236-616D-E607-000000000502}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.727{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8236-616D-E607-000000000502}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:30.728{6F8252D3-8236-616D-E607-000000000502}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.899{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390A74E57462C736950898A64784BFC,SHA256=AF3377B731C74BAE289285162AE1BF498F6C734EB3C904F7189AACC2AE8DB2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:31.314{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E015953E94FE835F7D82E2066B2134D2,SHA256=9AED0F4C878586D5E0F9A67962F62CD6FDE066BAAB59E289AC73DAA49153A327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.759{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715DF0A9FC3E69C70FF63F6AEB7CFCA0,SHA256=A6908B08D0301821C2EEA6351FEDA205E71543AFA2ABD4F9C82C8CC09758D262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.759{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18078329AF7E9E90D62520E4EA60EF9E,SHA256=08E91EEF197CA1EA6A928CA5150210D0A9D467071F51C7B675C4B6BFBDD50ADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.571{6F8252D3-8237-616D-E707-000000000502}632592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8237-616D-E707-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8237-616D-E707-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.399{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8237-616D-E707-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.400{6F8252D3-8237-616D-E707-000000000502}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.931{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D57CE9D9097E5A92106E94AB73C5A,SHA256=2AAED6A7BE4DF270E89D122291D9582C2AB6FA51A0E1B4C3FDC316F6B76AE7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:32.345{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1807AED3708EDD0381429ABB4142367D,SHA256=9AB20BADD1DF84BE54F51AD0A7F0456BA5DB981E6F8915ED4BC3F1A651052344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8238-616D-E807-000000000502}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8238-616D-E807-000000000502}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.071{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8238-616D-E807-000000000502}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:32.072{6F8252D3-8238-616D-E807-000000000502}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000053129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:29.910{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50089-false10.0.1.12-8000- 23542300x800000000000000036372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.946{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733D1171596383480A5D6C3D632E3560,SHA256=8CE7E8CF8D31B96324E8B66316B928CB91AA965E9160502F964B32B655AF4C02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:31.700{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51612-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.446{6F8252D3-8239-616D-E907-000000000502}25281032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.306{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715DF0A9FC3E69C70FF63F6AEB7CFCA0,SHA256=A6908B08D0301821C2EEA6351FEDA205E71543AFA2ABD4F9C82C8CC09758D262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8239-616D-E907-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8239-616D-E907-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.290{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8239-616D-E907-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:33.291{6F8252D3-8239-616D-E907-000000000502}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:33.548{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E624E06FF2B4664C343CD16EE1ECB26E,SHA256=18BC517B6A0BAD2922C776E1B9CAFF58CC241C7D849C845088BCD5072F95B455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:33.548{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD6C65E921629CDB5951CC95527D5A06,SHA256=3444A20E71968AAD3EFF972ADF46C63637EC51F42966B80700274C534A54364E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:33.392{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFCF31A2D6893D305A44158C322A45E,SHA256=1F49410C42927BA2041DD577EDC63B7522A5EF47EEDA0DE24C9CDB6C48BDD117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:34.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C798ABF901EFCED58B11291EE2195521,SHA256=F648C40F7BD8C4BD40B58B99DACF1D6D3D95E5A7BAA0B998593B6615E6C5D016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.571{6F8252D3-823A-616D-EA07-000000000502}17282108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-823A-616D-EA07-000000000502}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-823A-616D-EA07-000000000502}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.399{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-823A-616D-EA07-000000000502}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:34.400{6F8252D3-823A-616D-EA07-000000000502}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000053135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:32.347{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50090-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000053134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:32.347{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50090-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000053144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.689{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.423{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2912EDDD32658F6F4FC8B8F22C442753,SHA256=B5FE85032C3A53034D76A287F84F4861959DDA5CCCD77EFECC538AB46CD806D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-823B-616D-EC07-000000000502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-823B-616D-EC07-000000000502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.743{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-823B-616D-EC07-000000000502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.744{6F8252D3-823B-616D-EC07-000000000502}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508B2BDE34C43B2E7092137736D64F75,SHA256=B8973B1FDB15A1AB3DD5793C8F2EAFEF81C1BB78AF4F71F616F95B4695BA7FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-823B-616D-EB07-000000000502}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-823B-616D-EB07-000000000502}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.071{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-823B-616D-EB07-000000000502}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.072{6F8252D3-823B-616D-EB07-000000000502}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:35.009{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E402A829202D6CC298F96EB215A5BF91,SHA256=8FA7166A11E185A71FD95B56A78363704C309AE731E1DAFF9C3EC412840B5B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:36.454{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A81FC85FD429F842BE5DA64F2A77719,SHA256=E98731415520EEA0992A0223B941E1E0CBAA76D8F31AE8DEDDFAFA87A77D4541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:36.977{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2158EE80C5B36F72021C33069861C939,SHA256=154EAD3B36B7683492F76E58C10EDB5E1EC1D4D4B815B02F21EB2131EA329FAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:36.118{6F8252D3-823B-616D-EC07-000000000502}37524036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:36.071{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFBC6B9D2AB615B1C8B332EEB2263DD,SHA256=68D39A1CE98D8F69D480CF9BB5601803CF76BCCC4462715688D4F4750EB8874A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:37.485{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD4F3BB61F103886D82318BBE35398B,SHA256=8E2C027C9AB36B4C7D8FE71B2A2773E36FBBA73F8AF9D8823AE3A544612CE4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:37.227{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0D64EC3342ED4B69C52011B62CB1FA,SHA256=3715C705644BAB0ACA1A0377CA283704B6CD6CD1257E6021889E94FF34191534,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:35.097{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50091-false10.0.1.12-8000- 23542300x800000000000000053148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:38.564{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187749E516884ECD827A5167541DB626,SHA256=6225BA6E05ED6FA012F78081DB07D3984FD78185B7DA25EB56F94013D8FEBE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:38.243{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6664636B763D64E08AC3D5A1AFB07ED,SHA256=7EE33E96A102BD287C451E0104F9DE049748ED53FADDBA09294292814C4C7D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:39.798{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE47BBDF6B45B5E88A325277F0F7F32,SHA256=80FF518EFE1EA318D7587B1EAD01F16218CE598D6D1A9366F94E7ACF0055B1B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:37.605{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51613-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:39.274{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B568BE44688911FCBEBA82654392FD,SHA256=7BF5B90268B16396EB348195A7094B0C90B100F8FE837F201432B1B213861BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:40.814{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149C51731040DED930783D6AB97260F,SHA256=E68943413A4BC294C3A3AD71ABECCC83FDC24A94B74DF9C7D96A2441E44D61C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:40.306{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C1103236565B8B0C805B064DB24ACD,SHA256=FBB49C638B17160CF0599A3A5469E5B89D8B8915E08E4F51E0D70FD8DB6B145A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:41.829{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05134F23272191076D4B00B3FD4634C4,SHA256=5DC9243AD4B7236BCDAD1D265C823806E691D40104EEA1F33E4DF5D130987FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:41.337{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3C2B1F6EB3280FEE2279FB61736E5E,SHA256=7B10D67AFA6A85DC27DF11A94F23FC139F94DE3ED813CE7E514D540DBD165935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.986{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.970{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.970{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.970{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.970{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.970{8D4DD44E-79A3-616D-3609-000000000402}48006056C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.970{8D4DD44E-79A3-616D-3609-000000000402}48006056C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:42.845{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BA9E4E4D9CD39E42D4C827D15A2AA9,SHA256=EFCB6712F40C9ABEB758D4E192CC861B0CFC1009BB2B4A18A73B369C0BE60D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:42.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA507BD3DA43948E967A2A81938E9787,SHA256=E8885E0C954042CC47879EF2982D819FD0150F660372964FAF2C483A9451272C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:40.941{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50092-false10.0.1.12-8000- 23542300x800000000000000036425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:43.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2C0BD0EE3D0433AC941B89CDF667DF,SHA256=0E5D4985535A28E57098F3C01609AB06FC47E26AA80CB0576F67A93708A50FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.049{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000053180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.049{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000053179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.049{8D4DD44E-79A3-616D-3609-000000000402}48004196C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.049{8D4DD44E-79A3-616D-3609-000000000402}48004196C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000053176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000053175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000053174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000053173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A3-616D-3609-000000000402}48006088C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A3-616D-3609-000000000402}48006088C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.017{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.001{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.001{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:43.001{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:44.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4DFBD3AED3BD28DF11211E62ED6DFB,SHA256=5679B6CF9ADDE15EE7BC21B3BFD22D3EEC267E46CC10058387615C8BEE2E49D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.173{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C151C170C7DDFE78EDB300AD733EF3D,SHA256=CC4ED523CD09BF3A664F975A48F7C0D62D1399D95CD37EEAE4252459802B01AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.048{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.048{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.032{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.032{8D4DD44E-79A3-616D-3609-000000000402}48005176C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.032{8D4DD44E-79A3-616D-3609-000000000402}48005176C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.032{8D4DD44E-79A3-616D-3609-000000000402}48006464C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.032{8D4DD44E-79A3-616D-3609-000000000402}48006464C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.017{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.017{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.017{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.017{8D4DD44E-79A3-616D-3609-000000000402}48004588C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.001{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.001{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.001{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:44.001{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:45.496{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA988D24F2625FD8504C252445A0A893,SHA256=BD5874FDE0D883124094A647A04773F5AE23046765F9489E2659050BBE960A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:45.188{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\del.bat@2021-10-18_141842MD5=2664AFD0A6D3B49A65F01F170F5E8057,SHA256=7676A51DC4AC5BC518490F63099A9CB05765B2A00371421807BD6BF88D5DC29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:45.063{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87420628DE7D4302ABB2394B6A9E4692,SHA256=503C7F14F804B0A59063A9C876F5A128D57B02327E0C9059B5444DB489973E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:45.389{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-151MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:46.525{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132D3B0543D4CEF630C81907585DFB81,SHA256=C5A142226ACF9A81E848FC8A8BB6A84E8D8BB2DAB41880478A641A1F30314A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:46.079{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F701BA86FEE8D60DD02898BB611323,SHA256=F4BC0B35C7AEEF19452AB261F9D488B58F1C0B5915F4DCE72ACEF2B2EAAAFABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:46.388{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-152MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:43.636{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51614-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:47.542{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06258F30122F3B04A8C9FF79123ED027,SHA256=075C58B63083228175E91740EF2C12F0391F17EA9DF306D1927B8201CDB56681,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:45.972{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50093-false10.0.1.12-8000- 23542300x800000000000000053201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:47.126{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B1FF8822416D5454F43925362561F2,SHA256=6C2DCDEC1ACEEBBE80189B43D0C8841496302369053863E64345FC00E37C9D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:48.557{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01997D5736AA92E67B48CBC7CC9B34C7,SHA256=762319E44229A8C5AFEAA6F04A36A8C8A0316AA26784BB4042BC5FD575529513,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:48.532{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:48.532{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:48.532{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:48.532{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000053203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:48.141{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AF68B37AF239F2DE9905EBB5ADB4AB,SHA256=BA1AC54268EDC67E8428CB76A9B91DBF3C30E1EC466ECD1CC26B1A0C67B5B0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:49.588{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A60E949E99F1F32659DE6DED476E4E7,SHA256=35CE31F89A1CC022D11523FD6BD7364A32B20F7B731CE30F0E889AC7DF508B48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.377{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.377{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.377{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.377{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.377{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.377{8D4DD44E-79A2-616D-2C09-000000000402}19325356C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.315{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.315{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.315{8D4DD44E-5BA8-616D-0C00-000000000402}8486772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000053208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:49.143{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1110D4C7F3EB89BD7921DC622CC537A1,SHA256=C6F3497CA665DB24109599F63A8F90832124A4ED7621DEA3D03657B3C7730B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:50.588{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C479E03C8D34CE11331A52A838979E7,SHA256=40C7352C4A8F53936A6BE506D62C9951A4CA01C78CB860C1F070B8E964FC099B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:50.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D011206DE5DD457E6486001D3E87C300,SHA256=D75671CA9F89C0D7F1B9B6AF0CC2374478F06ECA5336CE826774D20EB4FDFAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:51.635{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0968DCD9159680A3CD2E4FDC030C2AE5,SHA256=3E42110787D7277352FE2F3A1EFD2EA9426B1C856B184B4BDE603393DE2951FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:51.190{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D9B145BB5A2760BA1175F8DF142F05,SHA256=9E4F5E4CA0AD8FDA090DEE2EAD2D038AB972D36D3029545A1E40CE93B231A2AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:49.543{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51615-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:52.682{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F82A120B03393DAA9E5C7BDF8372EF,SHA256=960384A81704CA0C74EB923ECBF66B8DF61B1A59503A89EDADD28C1BD03896C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:50.989{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50094-false10.0.1.12-8000- 23542300x800000000000000053220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:52.221{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01542A123E3D4D18BD037205410F39AE,SHA256=34725A21DE706A7A44F6B0BF3806C243D5CF2537B044843A70AE69681177D2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:52.213{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C15FC9FD6DC1559967FAC2F4995D70AD,SHA256=921F533C7DD80905BB7E9D05534CC36F8C1F0584E37F8076BEF36DA2A14729DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:53.775{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A316E50B26C9BACBFBAB44226F1AB995,SHA256=F1BEC06421E59E1E5C818FD4CDB12936DF07A17607180E9B91183762236CD707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:53.268{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517BF003621B87BF4CFE3AC23A153567,SHA256=CD24CF66AE843C48CEB44F5EF558E6CA81F0F1FA61D36257F187012131E03AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:54.807{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F522849C0A3C117B6EA41DB92F21EDB,SHA256=DC7814534B5547EFE803672C752B0856EAEE43CC2F12CC825FCC3C477FDF69CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:54.299{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE630E96A714DA8CF0BC7F47333BA25,SHA256=3E8CDE6964CF45F5CCEB2C6D7DE96AA4EF6C036CB5CA6515E0C1003280198AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:55.853{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A13085E724F1C94AB2FC6E4C935A2DB,SHA256=948C67E6625F6738218E07CA524C1C8BD8D919F4C1314D3B90319914D31EB419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:55.315{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3240911390D19F5FD1AC47962BA91F62,SHA256=7E0A53258E538C2FDACCDB2782ACF5DAD57FA027B1DBBACEE7908E6991A5463A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:56.869{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16789EFE88AC1C234A715E27F53C74C5,SHA256=7FCF3AF184BF53141BC6EFF0C5AE5220B16B733E9F4DD07618095B17A203E8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:56.346{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26CC8CFC0EAC2EA7A615B81E3F9A672,SHA256=E715467AE76550D3A96C3AAAFF9A454FC7DEACE8DA70B0156B6BCA9F2DF97FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:57.916{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741EA2D94EFA72DC3585D3ADB1059094,SHA256=68BF9AA5B7C1968A6BD4D3C3BC04640BFF3AF5A7DBB00E7DA45598FCB27CB990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:57.377{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4351DAAE98C2AAF1E32CE2504E6B7F8B,SHA256=71A16E159463968D4B16B40334ABFFF246F3A8E0F4E022F27AF8F9A471A4486B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:55.574{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51616-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:58.932{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04E2AFB54EFBD398268205CFA4E9B68,SHA256=502F805D2FAAB4BE2EA15C84F2404F6CF4B2E6098B180135F9B58DE35E0E96C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:57.005{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50095-false10.0.1.12-8000- 23542300x800000000000000053227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:58.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BF15A975979E58FAF5CEE7D0A3B2FC,SHA256=CCAFF14C13BA9165E4822F9EBCE8BCB2472D966E929FE7A2140178FE6D6D8208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:59.947{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6232FC8BF838E35D4D56A21303011A46,SHA256=CF361543E1B4D219F4D582815D48EFF0BE0921582E8CC1FC44EC03174C470FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:59.486{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36354599325251DB23F4A3C6DA7AF0E,SHA256=8B66DCB54CFB5A03F36B832ED964709701A1A7270C7F6C3CBB580D6FDA6B99BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:00.502{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7785EED9935A46DBD5120A6298B84BD7,SHA256=554527DC35301571EE81ED8C477C4A42FAD4E2237C7A39048B9E594B23885D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:00.963{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C960D326FCF7B4D5E8263368FB0ACE2A,SHA256=70E39BFB511708B6953720CE1CC85E8C28130E4B7EF313D8131D298DB84D445C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:01.978{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE30C2102FB66FCD8A4F3C22B4C308B1,SHA256=509B6262CDC64B9217D64E984975AD91D587D204691D53B13FAEE9B60B40B823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:01.518{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF08A4B863F1996ABCE7E9A96663DE8D,SHA256=912CA6E05681FE37ADF468033BC07A08A8260495897DD3C84F618EBD349A74CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:02.979{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3751F137796CC5D36D8D4396EAFF504A,SHA256=18C214536D22BB1733A4057FF873640580567B2B8441E1FE2E3C5246E37E4877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:02.533{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9B04951F7EBC871AC28F12BF39BD23,SHA256=834B9F969DE1EC3A6F2DE4DD5F37D3C8102E98364ACE328C498D980C52039149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:03.994{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14CE922FE251F424AA842EFDE60F9F2,SHA256=6910645A90277E31332EE342F3E9419FF8223819C1804D1F44FE118E3D86ABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:03.627{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356A03E020D45E7654F93E9698C81D9A,SHA256=F1D905A91AC69C3B9CD460E37993BFD89D42D397A408D0FCD7446704C38899FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:01.605{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51617-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:03.002{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5D1E540323292BB1DE9CAC7109E9B6D8,SHA256=F402EBF8A01DAF3C579C4007960F3607E8C202A489B4AAFFE062909E73A28682,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:03.020{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50096-false10.0.1.12-8000- 23542300x800000000000000053235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:04.674{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA38952E6E285FCE90FA5A420A42DCD,SHA256=89B0695593CD97F13A102008008BCCDA09DD4BF281F65002A41C05E2C45ECADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:04.994{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E37B9FFF48EA20EA64F57267CC0C4F,SHA256=8E9C4262824211BBB55467F50C4B9DFB037E804907E4DA0D6C71008F37683036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:05.674{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB131B80B0E2087FA20DA379E2C4382,SHA256=A4C98F68983F6EDB1719D7592F54397F3FB7EF3E6735342B7FADCC7048A07A2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825A-616D-860A-000000000402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-825A-616D-860A-000000000402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.736{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825A-616D-860A-000000000402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.737{8D4DD44E-825A-616D-860A-000000000402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.689{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE113378AB06646CBA231538F0884E46,SHA256=242323D55F2665DF061CE9DAF943963B80AA36682CE773E58E4CCA0BBD39AF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.268{8D4DD44E-825A-616D-850A-000000000402}67286692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825A-616D-850A-000000000402}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-825A-616D-850A-000000000402}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.064{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825A-616D-850A-000000000402}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:06.065{8D4DD44E-825A-616D-850A-000000000402}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:06.010{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18F5C756B8F72096424A5C9480E1A63,SHA256=3C8C5B6D15D93E2F5DD48F5D2AD82ACC1BBB1E76440E6F46DBB3EC42963C028C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825B-616D-880A-000000000402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-825B-616D-880A-000000000402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.877{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825B-616D-880A-000000000402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.879{8D4DD44E-825B-616D-880A-000000000402}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.705{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FC349753DF79340BACD16F442273B8,SHA256=7680E2AA8798D3AE2047EF0B1F417FA019757BCD688A53E39B7366A3B83BC548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:07.010{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C863FBA3B7F1518F9AD9135287F94188,SHA256=56E08B9BE566B3605ADC6B8E0BE46195437A6BD03B97495AEF75FF6FDA9DFA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825B-616D-870A-000000000402}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-825B-616D-870A-000000000402}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.252{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825B-616D-870A-000000000402}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.253{8D4DD44E-825B-616D-870A-000000000402}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.111{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B98C8C6ADEF5A4E6B50C76879ECB5D25,SHA256=DE71283B2D890AC6FBBD874B487A88F69949313299BFE3B3605A380C0CF2C380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:07.111{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E624E06FF2B4664C343CD16EE1ECB26E,SHA256=18BC517B6A0BAD2922C776E1B9CAFF58CC241C7D849C845088BCD5072F95B455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.710{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442D829D334AC7B13308991556458B93,SHA256=34982F33574D126380B53E6B527D9FEF2656CEA63A0C90F46A92D1EE14FA1493,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:06.699{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:08.010{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7040411DA39C0FFB0B5D246D6279FFD,SHA256=27E411D453F5E3F9900743568A1AAB5798FD6498EEDB91F4480E4FDE88F9DD1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.663{8D4DD44E-825C-616D-890A-000000000402}45125716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.601{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825C-616D-890A-000000000402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-825C-616D-890A-000000000402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.502{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825C-616D-890A-000000000402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.503{8D4DD44E-825C-616D-890A-000000000402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.424{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B98C8C6ADEF5A4E6B50C76879ECB5D25,SHA256=DE71283B2D890AC6FBBD874B487A88F69949313299BFE3B3605A380C0CF2C380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.064{8D4DD44E-825B-616D-880A-000000000402}63844320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.741{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CCE370BEA71EE31C35F999823F77C1,SHA256=8EB0474E92F9810A84B743B36BCB4148776AC959CA228295B7366C204C49E82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:09.374{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:09.014{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729DE47547547B1B2DDE8D1B018AB169,SHA256=995FE7C90BE8A49CDCFCFDC384F87CA9B0EF43EFA7D62BA9F4AFD78AFB36FD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.507{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C49A7046B70CD1F4E4FBC1B38B5E76F,SHA256=EC77B2FB7A79BF8790DFF500EA58844AA81EA91A0F7F89BBE2632D717FD26EEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.398{8D4DD44E-825D-616D-8A0A-000000000402}4321304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825D-616D-8A0A-000000000402}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-825D-616D-8A0A-000000000402}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.179{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825D-616D-8A0A-000000000402}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.180{8D4DD44E-825D-616D-8A0A-000000000402}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:10.757{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F0FA283FCC61B2F911937FF01D7C6A,SHA256=51168E98546C882B8BF5C0A341CF5F3DF9273A37284E59E868CDAF34F1C5CF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:10.030{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BF2C1A5A62899914F25F3FF6C008FC,SHA256=F4A5EC6BC49BE1BADD578AC21B9755F6D550FA1D5F584FCE704ADA5DD5F4F0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:08.447{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50097-false10.0.1.12-8089- 10341000x800000000000000053310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-825F-616D-8B0A-000000000402}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-825F-616D-8B0A-000000000402}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000053304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B11960781BD51D180E1BD7A069C67,SHA256=52FAE7780C75FFF910731AAAC92C5ACB8B1663242F0E7CC112868C87BEB46653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-825F-616D-8B0A-000000000402}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:11.773{8D4DD44E-825F-616D-8B0A-000000000402}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:08.844{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:11.046{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247837A9111B165E97E46ED2A6D7564,SHA256=5CFA833B8297B5FA254789FD77C4DA6725E0E835D17C12BD038493FD2816C4D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:09.010{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50098-false10.0.1.12-8000- 23542300x800000000000000053312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:12.851{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD12F4A2EB152CFE06B9AAD38B2CFF3,SHA256=F779E1DE623C08174F237C7259FEB5E96B183E3F360474393C116D3395EB810E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:12.788{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C56CCFE8FDB9211862A24A530614457,SHA256=B8C5CC470AC6DF9FBCE5BBE09CB2DEFF9A61B326F965BCC3AB59658C2ED59917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:12.061{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEB02C0231048926EDA814E118F2674,SHA256=C9829F2AC0BDD9A986213700C8CEEA545BE966560F0592D01C20DE52E169647D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:13.804{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F217C28C2BC06B625249B228610A1B,SHA256=EC4EC8218E4529690AF1925D0ACB730CAC9DC499B4FF7662BCC85A2281B8EE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:13.077{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3181F4FDFBA086862B299D1F2565399B,SHA256=31455AFA8F0CE0C76C582A079F9F138DAEFB6C5E539C01D1B21093AFD81901C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.819{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C527A1D5E78A4843E5EBED76A9F552FC,SHA256=1CD8BC12D1677EF16459CDF10FCA2FA79094D0690A245BBA1A0D533563A44E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:14.093{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC88693EA10D652C6C36E6997E00395,SHA256=F0D55E73357FF9E553B006637E941D4539AC06D202A67896F9422E4A62C379DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:15.851{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC27A3F9F5FD58046051FB1C2B4BD402,SHA256=B4EB1CD6144B20182EA995C1B189D90DDC2CDF3DBF79691A7FED4F2EB6F6FD34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:12.719{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:15.108{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD594A7D59B26B51F1A630BE52950AA,SHA256=0CC3A6A09C68988272491273D3379AB619AEE2B224AE8CB06009F1469A509764,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.087{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local56982- 354300x800000000000000053337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.085{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local64733- 354300x800000000000000053336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.083{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50234- 354300x800000000000000053335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.081{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local54631- 354300x800000000000000053334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.079{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63251-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domain 354300x800000000000000053333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.079{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56809- 354300x800000000000000053332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.078{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local63974- 354300x800000000000000053331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.077{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local52763- 354300x800000000000000053330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.076{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local52877- 354300x800000000000000053329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.074{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local49409- 354300x800000000000000053328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.073{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local63251- 354300x800000000000000053327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.072{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63251- 354300x800000000000000053326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.070{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local64813- 354300x800000000000000053325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.069{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53742- 354300x800000000000000053324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.068{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local64461- 354300x800000000000000053323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.068{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local64461-false10.0.1.14win-dc-185.attackrange.local53domain 354300x800000000000000053322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.067{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56219- 354300x800000000000000053321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.067{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56219-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domain 354300x800000000000000053320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.058{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50101-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000053319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.058{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50101-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000053318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.057{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50100-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000053317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.057{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50100-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000053316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:15.210{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E0455A373429614C07BF2032A35E139,SHA256=A79CB0A91B79490F5BF59E5863065886602AD4D10F95C42DF99F01D625C52D25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.025{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50099-false10.0.1.12-8000- 23542300x800000000000000053357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:16.882{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD64D98BD8A5A216F1E2BC13B8E5B60,SHA256=F214FB786C93AA05A8154522A342BC75CB2128DAC30FFF4CAC9BDFF8EC5594D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:16.124{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122E45E9F2E0DEB09DFD2EE6A0BD60DC,SHA256=6E9EA9DDFF87E698D682BD163DDCC70DBFC5FDDA277E7E8B9ABB5052B0C5665D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.116{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local56460- 354300x800000000000000053355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.116{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56435- 354300x800000000000000053354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.113{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local52319- 354300x800000000000000053353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.112{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local64974- 354300x800000000000000053352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.108{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local52700- 354300x800000000000000053351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.106{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local54152- 354300x800000000000000053350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.105{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53345- 354300x800000000000000053349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.104{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local64307- 354300x800000000000000053348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.100{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58219- 354300x800000000000000053347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.098{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local52308- 354300x800000000000000053346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.095{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50112- 354300x800000000000000053345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.094{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local56963- 354300x800000000000000053344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.093{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local58070- 354300x800000000000000053343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.092{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local58521- 354300x800000000000000053342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.091{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local53610- 354300x800000000000000053341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.088{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local63791- 354300x800000000000000053340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.088{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56960- 354300x800000000000000053363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.123{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local55502- 354300x800000000000000053362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.121{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local51397- 354300x800000000000000053361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.121{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63256- 354300x800000000000000053360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.119{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local56781- 354300x800000000000000053359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.118{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local50146- 354300x800000000000000053358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:14.118{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local52870- 23542300x800000000000000036469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:17.139{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2022F414B13874F4FFF72424163FA0,SHA256=4A9478B82C2A0BB0CF8B667EEFC5A413530A7217A57507B19534FAA5F120DC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:18.155{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA715327E5629326F70D8C63CB71979E,SHA256=40BB4372D5B1207D61727EF05049FD845D9CC3E36A52FE171B1D64DF2AA2E827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:18.132{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92947E927154DE86A6D068D1AE162F97,SHA256=0522E99A7D14A54FE40300EAFB8A3DECD7C42955CB478F53B52650E3F9C1483A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:19.171{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F2990D827FC99D150F84CE8252ED22,SHA256=FD9DC3D0D575CE33A154E3F7F41D6D90EC4E41C47692BB16BE0B597255B55B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:19.163{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF22CB55E248643216CB528329FC7E67,SHA256=A161A1E4EC6FCE9F9EEC3A3B7EE82F074CDF65B7F4DCEC13F6A7CE63B80226FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:18.656{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:20.186{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E420B324E026C6EAE72431489999315,SHA256=81C31377E785FD23EFC26C6340058FB7E5785D9E2291E40C85E53EC2775BBD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:20.196{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BC688F7B48B16C19B509041C99A889,SHA256=99FDD6B40C231453A45229B17D69880FE2AA80035BF3357C03073C10B1B4C6DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:20.011{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50102-false10.0.1.12-8000- 23542300x800000000000000053367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:21.211{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8240FCA664BE8C8493DC73D53E0822,SHA256=237BA1D68BC9614BB93865D3387601A2B2BC9F78A72C5330319D8A1F325F9D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:21.202{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2816F186AEE11814AFCE7FD5943BA1E2,SHA256=0592D6E8A1937C32370C695C2F0A78C5C897B97A15C99D6B99085E43E16E6809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:22.258{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EDB191A152D8A9436DA2F1D150A926,SHA256=5391638FAFB5190AFCEAB80AC3439B0CB18EE4993C8E16E547262F1140C9B1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:22.217{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036474151DB498FAAC2CCE445DEAF5FA,SHA256=22827631E1D8CD0C7B3D5CE191898C46BD925B7556D30F234FF13FC85594359F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:23.233{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE156C70899C619A5B34ECC0ABC300AE,SHA256=D4D1CF0C06E11DCDDA2DF24C74E7587797CCD0A97FB0734704B66718516FB20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:23.305{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027404B970C9B620BF464CC79290D420,SHA256=7DEA5ACB8E1015ED9E45147A584F807649FE34CF73EBE74B53F4FF10B6EDD9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:24.233{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E872FE10E1E800DEE9EC301BBF1503,SHA256=B8EBDF50286061108A6A70E20DD1E32F403792F6691E649416B91014F62E4CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:24.305{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43702095E3E6C648559F593C9886DD2,SHA256=2B0D19698AEBEF951BECDFA614E6D955291EB9864F6FC90000304D86E8E92F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:25.336{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27EA66EF71DBE82D6E9ECD275272410,SHA256=9AF8EDC18DA57A786BDEB1768940676E1397C79D7A1D6771B6411119599526CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:23.672{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:25.237{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359530B36FA5F33C3020073068E1E7E0,SHA256=18850C9482167E9EDDCE3F8DB0424912360C1C58F6C1BEF5CD67DC8DB56AB2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:25.213{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-160MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:26.396{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B695EC8010199BC71DB03F1AB56B96,SHA256=3D992D8A1FD1A4635A3FC9FABE106EC656F538280A612A4214722A4DB541BEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:26.249{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B782EDB6AA9C3810B12F981C6CC986D,SHA256=50DFF6CF4A11B41A1D99BBAE6006404EF4E4BCD8493C206EB945DA0AA43749A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:26.227{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:27.264{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5561EFE3A658F438AC3C202F83410B0,SHA256=07B67A301D3A90A6041E52AB01BE3A0AF6333A99F3C6048634C2E84DF74E3515,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:25.026{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50103-false10.0.1.12-8000- 23542300x800000000000000053376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:27.399{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5A55D520D4B0F6D7A84DB34DB03BC3,SHA256=A07B6F0CD224284ABF90FAE321741A5654E5F2496FFD97F55CB3A1DF04563295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:28.280{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435957BBCC4912C1C82B3DCC425C29D0,SHA256=A5DF979E0E9BB164A4783013DDD20437F2F8AD7354282DAB567386773F8B2A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:28.430{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CDDE9141184844659AA7038365FAD6,SHA256=08FBC6D1D79402192E36F86741E3766D44C187A677B02B3AB7CA7A34C3421FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:28.149{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:29.459{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F2DFFA5D72636A38FE6049F8A0BF31,SHA256=D0E6BDC8CCB6D17852F754B4B8CE12F2AF368A9A4BC8FCDE66313331A7AE521A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:29.295{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1680290FD7B295F0F14A2EEE6C009E,SHA256=037A06E6DD4EAC92045A96C98B33C40186F9F89E4F4565C0DE23CC414FB022B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:30.475{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ECC037E586CF68236DE9B7AA668705,SHA256=30DAE0059EF7E669BE405C3ADA128D7A3A86E0A7F71B3A18D572EF3C7E0CD03E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.873{6F8252D3-8272-616D-ED07-000000000502}25963464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:28.686{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8272-616D-ED07-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8272-616D-ED07-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.716{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8272-616D-ED07-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.717{6F8252D3-8272-616D-ED07-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:30.310{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709F5453CD59D28C288F2762901A2BA8,SHA256=31DC36105E0B2284EBF4F27ECB915B7D499476C6BF55CB2F9E70AF68EC8FD78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:31.537{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBA8CEECECB95CDB3220CB354EC2FF4,SHA256=B89E3362CC11C5A39A166E5455D3E7DFBD9257340C6646E39680F40D9F6FCAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.732{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5408B404D961E738A13FC12C44F96862,SHA256=56A85A400469D0D2F7C59BFC4513745C1A21686721AB9ABB2BB4606833B190B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.732{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3ED54407DF0FF298676A150F54AF0F,SHA256=4195278E93EB7EE9AED52BAB2803AA1AB407E40FC53D4441598390B6D7B2BC39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8273-616D-EE07-000000000502}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8273-616D-EE07-000000000502}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.388{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8273-616D-EE07-000000000502}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.389{6F8252D3-8273-616D-EE07-000000000502}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:31.326{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F052271CFCB588BBD2E014E773773F5,SHA256=9CFF519DCF7598FF137DCBC0498B639CCAA8B106ABCBF102036187985F423D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.466{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB46ED16BC5EFDF7D8E77C0E3DD51776,SHA256=72C909CB32178B72B8BACED2909E27C20D089D0613C8061AC5B0F764BD7283C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:31.040{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50104-false10.0.1.12-8000- 23542300x800000000000000053383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:32.553{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6662D584E0107BEC0667CA096E0302E9,SHA256=549A9222844A1CE6CB67D9CA5FD7D5BC0EE4D3AACB35259EE22D8956DBDD3A02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8274-616D-EF07-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8274-616D-EF07-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.060{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8274-616D-EF07-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:32.061{6F8252D3-8274-616D-EF07-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.513{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35A4C7179C0AF94F9043F53773E3C42,SHA256=3448990E13266F91702DAB385C29FF866EC1902329E5947421D6386CDB64B869,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:32.352{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50105-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000053391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:32.352{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50105-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000053390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:33.568{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991B550EEB6CCD8EC95064C2CC5610F8,SHA256=4F4C7F8646C21BF30509A1A458140FB4C8919CF0B7D59260EA8773A08ED01BEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.435{6F8252D3-8275-616D-F007-000000000502}9922388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8275-616D-F007-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8275-616D-F007-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8275-616D-F007-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.295{6F8252D3-8275-616D-F007-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.076{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5408B404D961E738A13FC12C44F96862,SHA256=56A85A400469D0D2F7C59BFC4513745C1A21686721AB9ABB2BB4606833B190B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:33.506{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2E0190CC8E3FEB18C35C30AA64A03C1,SHA256=5108D146E3769453803738302D06F76B573D1D92A0BFE81750C4BAE059035444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:33.506{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D4C2715D77F80CB185D8C2D89C9746A,SHA256=6F947793D7AA6E892AF8C4C1AE3949C8FEB1E4AB31A430535F5D0893937A035D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:33.178{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:33.178{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:33.178{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:34.584{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6108CE5739A7A47772FDBE807DABDA7C,SHA256=6CE4EFB2B1AC40A17CC9EE8846932535FA2D922A5EAA00E1376F98367CF6FE36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8276-616D-F207-000000000502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8276-616D-F207-000000000502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.888{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8276-616D-F207-000000000502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.889{6F8252D3-8276-616D-F207-000000000502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.607{6F8252D3-8276-616D-F107-000000000502}2796208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.529{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087645D32B600C6458C4C16BCD9D6CA0,SHA256=A85FCD31C87047A7EB8CACF634F80151FD6400EC255D7B58B1CC18699E3BD8C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8276-616D-F107-000000000502}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8276-616D-F107-000000000502}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.388{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8276-616D-F107-000000000502}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.389{6F8252D3-8276-616D-F107-000000000502}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:34.373{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DE56A919D923BB957DE0FB612343855,SHA256=0FBF9482BBD754BDC0C59BFA333297DF58A4A140290E7573F679879733ED81B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:35.600{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E30717B1522AEC2C6E59BD4051D7A2F,SHA256=DCAF8ACD9C05BFEB4FF870B7FF70993F84B471E6B4FC3BF16B1E0DDB782BFF8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:33.702{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51624-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.560{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C2DA18F8C2FB8328FAD5712FBE0142,SHA256=4A6C920243B6A05235350BEBB3D03F426A438BFE949D6A117F59E5C432BA142D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8277-616D-F307-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8277-616D-F307-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.513{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8277-616D-F307-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.514{6F8252D3-8277-616D-F307-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.404{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B22EF71D286FA11398D5465C73A378D,SHA256=64E3AC03308EA154C2B05FCDF760537A157FBE617C35C0A42DE6B02229124B81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:35.091{6F8252D3-8276-616D-F207-000000000502}34201068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:36.576{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA8810BD48078D69D49883CD3B05346,SHA256=D556ACF09F3805ED84B2BC249DC8894D631BA273A63B1D981A9EE7C979FF45DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:36.576{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A56338110F3170439BCFA9D86E6C99,SHA256=385B2AC6971ECCEAC5D028B4184827486892D222073C5FCEE9B37C3DE9513919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:36.615{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7517E654E37B23523CCC7C839B9DFAFE,SHA256=F7A4D8ADA8FA195D8A9C87C449AA6A91F5AAA9598C06394EB1CC0265B20CA6AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:37.607{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419BF85E84A927E52F2D63B42402203C,SHA256=B49EBC962B1FACBD6EAC43EF5B0D4A23A550AAB05D885DF3C6A0D32B4FC3F5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:37.631{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DFCE2137315628127A64F8AEB30C20,SHA256=520EDBAB876B799629E52C93BFE45AD4B468DE4CBDC89714C9ED7EE04970B230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:38.623{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4220971E32493A9B02EBC54D07A32C97,SHA256=7400C981744C5531F0F3A2E94E0F8852BC14A4B1C3806EB8A636395C921CACED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:37.071{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50106-false10.0.1.12-8000- 23542300x800000000000000053397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:38.646{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49311BDA4F1F42CBDBEB3D99AE28252,SHA256=1A63CA1AC4B191CD95170DF6924B6E4E8DD2290FA8B600FF2454D6EADE677955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:39.662{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D911FA2F75FC6BC699737B22506CB7,SHA256=72E01DCF2D08C6DC3038579A60EF875DEC5BACCCC0937CC0CF78232C22E799E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:39.670{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D920EED12EAB7680AC66CDC8AA982993,SHA256=EDDAA91D155E2CAE7725C8031E199C875A3D2F599FF8DF8AAD2A9084918F3EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:40.685{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C7F298AE57B89F5CF7CF82A9CEEB26,SHA256=18A34009189198CE42677E1F31EB0AA63E2B35490A072300EAB3493EB410A3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:40.678{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6556C204DAFC990871B6E97F7FBDA63D,SHA256=991584F49DA6C3D855E2CAF928E9D9A90A0BAD32F5DF7623703950F89277EECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:41.701{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1D6CC0109333BA5041D249AD6246F7,SHA256=567603C2715AF56AB931C6B4ADE458A63750FB6EFC6886566F8938A52D00B1BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.756{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:41.693{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A424C9F11D3F02A3A50A9AD8E6B3ACCF,SHA256=AA739357FDAA5D1FE9AC86A5232955B9D48500C13EE8979B99E322CF13C30C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:42.701{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645E1854B46275851875BAE1F1DCC17E,SHA256=3F265FF267A6D88A8E0D07004859B40F9538C168F7169FE7D35C1DBA1285CFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:42.709{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83081768C58CBCFF53319F651AC488B,SHA256=D3C02A49DC109A8FCE69943507D5EE1DFC2E6CC133BCF1DBD252DD3001ECF596,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:39.577{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:43.779{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F19C54E172D9A19805866E3E5FFF27,SHA256=E60493ECFBBB6CC6A711842DEFD8B71DDF4D648983F2AA3EA379D96169E04739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:43.724{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586A894D9B2DA1A060E39DADE4A09354,SHA256=1B25FFE42773F1D511BA53E0E8BD58893BCD58D043171E4C6FC936A0FD5E2CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:44.912{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C197FACF60869E1C9E853AA13B05D544,SHA256=9B7CB3453FDA7AA7BD627ECC63CCE9DF06A74963E3E92DAC79F14FBD54FAF44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:44.841{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076575B9ECA0D8B486AC01C72A30ABDD,SHA256=71A621439CDF6BEC5845EC35B92BAEDF8FB9C4FB17405078CDB737E88A12EC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:45.927{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7DBCD368CD1EC2090F4420B62B8D36,SHA256=DB1D919BB8806D1A3C10212885840C655AA342BD19ECBCD322F94B6A91CD2B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:45.857{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD20546B126C20E92709CD01C7D4A55C,SHA256=26F336D923F23F4E97535E4C8C36D66593B156E976B2FABA7E0C478189E857F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:43.024{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50107-false10.0.1.12-8000- 23542300x800000000000000036605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:46.907{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-152MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:46.907{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02BE071989AA870EE7AD563089D41D7,SHA256=808272440B77E2A05FEF4B60388AC1DABE6A84E79AAF70F5A0E1E5CDB1A9D649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:46.943{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072738F52D98397871F5F4BEAA742C5C,SHA256=25AA43BC851DBF9B427F5DA4EB3825F4AE944C603D10AF72A2B2095C8642A29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:47.922{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0DDBCB3ACEBB56562AB9486E552B86,SHA256=E15240C8BF9CC06F4672FA9FE2E490817CA24BE33DF0964393398E1D8B2B6A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:47.919{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-153MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:44.670{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000053448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.162{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.068{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E998A8F47FAC3716A7CF3C609B36CAF,SHA256=4D63AE709338FB356984B6BBE5037BAE72975000BEAB89D423C250222A2CFDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:49.043{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CF76C855073F6EFC9AA0734ADAAEE8,SHA256=8BACD7DE252B87F9BFCA499D639367475E1AF7DDEB98719558A2E948F60D979C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:49.224{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51421068CF78BED44A801AD49523F80E,SHA256=9614D3E04A71FDD6A8C4E3F6C2CB863C77A045F437E70770223B7BB12AB04385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:50.255{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0786259CF8B282DE8A32472A6A9E57C,SHA256=3A40784A2E2FA31E8A25C4E91ED00C4B2DBB1A86D10D054B9C3559062802F07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:50.059{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E8EA22A4F3DAE0007718720CE0E2F6,SHA256=A5CFC3512F5B15B7C663972C00807D47A278F80C98EFA34A97FEC66F7A580B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:51.286{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4CF65EFC3CD6DCDD90DD2BE2C274C3,SHA256=2ED4704E6148356F71841C8197CEE32557C3E9EF0C14E2226F8508CEB908DBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:51.074{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4C00052C64CA74B01E20321B887378,SHA256=A6725A294C4A273F3C5C80F4EA9285F279D1482AC331598E9B879A343B1ECB2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:48.978{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50108-false10.0.1.12-8000- 23542300x800000000000000053453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:52.301{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5595E2FC5BA73E8189883BC11CACE65,SHA256=3EA9307E1528A6B4BF42C8D2CAFFABF8ED19DE48ADB817522F3428476C9578DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:50.591{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:52.215{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=35BB18EB90DAA93D179DC96968FF7275,SHA256=B8F765FBAB2F66BF7451B3DA534CE5CA4D76389E0DFCBFC07A44A935364B7B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:52.106{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E570DA5CA611BF6488B7697029A2870,SHA256=4F1EB35EBD32532DC6B906ECE8454AC62C400EC2958B0D64327BA5B2AF304A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:53.949{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:53.949{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:53.949{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000036625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000036624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008fd6ef) 13241300x800000000000000036623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c422-0xd5ddbac2) 13241300x800000000000000036622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42b-0x37a222c2) 13241300x800000000000000036621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0x99668ac2) 13241300x800000000000000036620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000036619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008fd6ef) 13241300x800000000000000036618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c422-0xd5ddbac2) 13241300x800000000000000036617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42b-0x37a222c2) 13241300x800000000000000036616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:19:53.481{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0x99668ac2) 23542300x800000000000000036615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:53.121{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6197D45EB6E352E7D00A500B07EBA6F,SHA256=CBFDD86C4CE0E6A6CE770DB5F1EF101C99ED19EC23FF6A7FEACF648C2F58189F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:53.333{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADE50BE31D7C1596838B40A0AD89F2,SHA256=DC35450562F60138717790F885FC901624D5BD6722F8D5ECE1ADB5975899E18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:54.168{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490976D874A61716ACD3123F9D1E7ED5,SHA256=EAED4381D8FB91EDEFBB3A17EB865D17D38D5AE001326A0980EA446E2291C3AD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000053458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:19:54.520{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x800000000000000053457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:19:54.520{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x800000000000000053456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:19:54.520{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 23542300x800000000000000053455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.348{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60280AE6C14F9DC8AA70474E1660002F,SHA256=6177963E94F1FC519470CD2192CE84E358B75B9CD82CA2D5CC6EF95EF0ACF15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:55.598{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035EF9BDE280FE8D885924DE90AB47D9,SHA256=51B1B79E2BBB1F1D7FE1C038C41B46CCBC560031FF67D1E32550D377BB051BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:55.598{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2E0190CC8E3FEB18C35C30AA64A03C1,SHA256=5108D146E3769453803738302D06F76B573D1D92A0BFE81750C4BAE059035444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:55.364{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F31C88412490EDB70ADBC6F977C7F3,SHA256=9FD6B97F1917DB02ACB50845324BEE092C6E10ECF5483B02D979F905832227FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:55.199{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC0ADB1D17BC8EC483B7A400A7FA2E3,SHA256=C8CAE60EDE028A5CC548015F05E17A4A507FF4A3CD96A480001DFECF574EE364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:56.379{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BC6B8BE8F1A31E20C2A649189C7EEF,SHA256=DF61DEEC76D109EB21B64A8A7D9DAB44F55BCEB1FECB304316936EEDF3192373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:56.262{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA84C07B609010924118912B3B85F8,SHA256=A5808736BAD6EB2D0074418D914CA3242E96C8651AFB55C3A6E0BF68713779EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.406{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50112-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000053467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.406{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50112-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000053466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.390{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50111-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000053465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.390{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50111-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000053464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.368{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50110-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000053463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.368{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50110-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000053462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:54.009{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50109-false10.0.1.12-8000- 23542300x800000000000000036632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:57.277{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD9B3CBEC662B02DC87E2EFAF8FC452,SHA256=4775308546C97A8557AB4ADB1146734B31C76DEA7C15F598D7D1E6897C7AE5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:57.380{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDA63DDB116911267A86AB1ACF343FB,SHA256=A391ABAC5558DA41BC7DBE52124C0F511246E42E739B4DD321D26DD519F96430,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:56.637{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:58.356{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C120E9D7C99A345E649859270BC426D,SHA256=FBF080D0C788930481A03F3F3650CA9C0A676C64BCF97B8E608A53E2D944E021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:58.411{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526227A74753C5C6180E41D80ED607E,SHA256=DD4154226D2D2276235682AD7EF4ACFE1EE29F7475481D4F0CC7178CD3D078AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:19:59.387{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36459AD7FF97A8247C1D9D214F07D413,SHA256=E7225887FE26EEAE436FEF35D30A3A1DE69A18DE474EB52E704DCB062301C6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:59.426{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA53675110ADF6493E967097BB99EC,SHA256=D71010B96E022D2F2FD080D41ABE4B1CEC67A53F885FA91AA995A9F94E730676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:00.489{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFABCACD29780967CF124A9658655F6,SHA256=C6A19E2959AFCE04BEFA405440F99DB672D0FD9907E8384C9B6FEC19611F9266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:00.434{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279C5D71D2F161CE84647ADFC64066EB,SHA256=1FB8DEA76ED16F9B5A4A768245913A39154415773F970E896CDAE9B31ECDF8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:01.449{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7A3988B5CD9739D6B3B03D7AF39842,SHA256=71E1F5D4873A96A78FC22A7283032A0809B3ED5B43308C1D7B8860A87AFFC9DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:19:59.913{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50113-false10.0.1.12-8000- 23542300x800000000000000053474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:01.504{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101D39275AEFF22375B0FF2B401B88C,SHA256=C4E0869A5B56E8D0DB09B1081D25E428C798DF90B1E3CBA2DD0D63710E3C3F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:02.465{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057ABBD46D6AE5B14C21705C22F67DE9,SHA256=444FB64EAD926E79062E7B8D9E35CF383124284CE0044CBE79BDDE672C3357B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:02.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD7320435143B01213D0C3A10717925,SHA256=911154CCC66756A74A5356DC02074389C8033B5005C54D523A13B8D7CEC18291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:03.527{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BFE208CE701F5E48D441DD952C302E,SHA256=0161B9304E6F757AE1AA106E2E84E762135D745CACACFDB872C58F11C481BE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:03.551{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCAB30EE413FB6E451530207BA84D91,SHA256=B93C0FCD34F26A61E74F7306897401535BE7020049246576C3F65E098536C3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:03.004{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F054BFD6E61DE8B19F764108F07874A9,SHA256=E230DC6B0735E61209315F8FAD997AE83C0CB235F503A1B9100BCEDCF06CB2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:04.543{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9BE1DFBB9072D15C1C143DC1C0AFC4,SHA256=AAB57A125155FF67851534D3A1348F13E5C888998260B6FDC6B2B9B19D13398E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:04.567{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE8FD8D8895425DDBE6409C073943F0,SHA256=32208D278DD1AFC04839580584725E8A6DAB77CB1C7F6BF87D4CF6D8DE8202C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8295-616D-8C0A-000000000402}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-8295-616D-8C0A-000000000402}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.957{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8295-616D-8C0A-000000000402}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.958{8D4DD44E-8295-616D-8C0A-000000000402}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.567{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A76214EB66DA2EE525774D119AE104,SHA256=0038D8BFBD8EF162E57ECD46DB80825FEF3E012EF2085BD5EDF1BED4C486EB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:05.574{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECDE496680EBB1A3B281F8E1A26C8DE,SHA256=22DA2ADFC8774CF7B83939C23184D16E215D1A15EC87192D5B4F6E249D963398,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:02.684{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.973{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97E239C952EE89E15DD0D4BB94750EC7,SHA256=50E0981B06CCD32DBF6C6A2DFB1E9D7132FE439CAAA4C55D9C21F8D85DC4CFAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.973{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035EF9BDE280FE8D885924DE90AB47D9,SHA256=51B1B79E2BBB1F1D7FE1C038C41B46CCBC560031FF67D1E32550D377BB051BB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8296-616D-8D0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8296-616D-8D0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.629{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8296-616D-8D0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.630{8D4DD44E-8296-616D-8D0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:06.582{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED2803B4DCF9A385A096D3536AF87CB,SHA256=5150790B3602E84E23907F60A831C25D37A61A5C3F0EBBAA6648AA914C84810C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:06.637{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A2570F4BBB5B851EC84038D1065096,SHA256=C0B4BC870B26571A0054A2C1043BC522F41EDDC1FE3FA21CDDAAB6FF6B29869B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:05.100{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50114-false10.0.1.12-8000- 23542300x800000000000000036644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:07.668{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B72DEF5149F0A83CA931231E820435A,SHA256=4A00E6FF84FC3C8D30C472DCE2FADF7E3C427A113AFD7E1785E578B4D7D92440,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.989{8D4DD44E-8297-616D-8F0A-000000000402}65524764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8297-616D-8F0A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8297-616D-8F0A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8297-616D-8F0A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.801{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.803{8D4DD44E-8297-616D-8F0A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.598{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6618B9800E8EE2709963EAF6D95F9A,SHA256=F84B44FF4DE85945729E1CB0ADB066448AB19FEE04950CD6AA17FA21F3FEA010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.504{8D4DD44E-8297-616D-8E0A-000000000402}53245884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8297-616D-8E0A-000000000402}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8297-616D-8E0A-000000000402}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.301{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8297-616D-8E0A-000000000402}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:07.302{8D4DD44E-8297-616D-8E0A-000000000402}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:08.688{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C256007E538550A72800BC68ED0BAD92,SHA256=728213328FB59A6ABFD5178AF5BAD41CF53F855115EBCD88D62075EA36B02C50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.665{8D4DD44E-8298-616D-900A-000000000402}70005152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.618{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.618{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460E69244D12C896953FF77E6DDC50F4,SHA256=8365210A5EA0E537F591B53F7E3156A71F700083CE28A3471FFECD674B77DD28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8298-616D-900A-000000000402}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8298-616D-900A-000000000402}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.426{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8298-616D-900A-000000000402}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.427{8D4DD44E-8298-616D-900A-000000000402}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.317{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97E239C952EE89E15DD0D4BB94750EC7,SHA256=50E0981B06CCD32DBF6C6A2DFB1E9D7132FE439CAAA4C55D9C21F8D85DC4CFAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:09.719{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E225313E97313DE0EA4FB79233022132,SHA256=FAEB4A7A71A6A15481EA9B05FDFF585A964C862C6B95785AC6386A526B4B161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.790{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CBC7532F419D69C4A560DC753D63B4,SHA256=386675F4B858FA117400B46C3FEF804CD1ADDA718DD70C6C350D01CE68526A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:09.391{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000053542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:20:09.712{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c42b-0x41ca3426) 23542300x800000000000000053541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.431{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90FDF4BBA835B1FA5AE5A9D9E3BB24A4,SHA256=15B76BA347EE802E1EDE90FBEF0E0E5AC1C768290109855EA7CF676EC6755034,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.290{8D4DD44E-8299-616D-910A-000000000402}600100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8299-616D-910A-000000000402}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8299-616D-910A-000000000402}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8299-616D-910A-000000000402}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:09.103{8D4DD44E-8299-616D-910A-000000000402}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:10.808{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE54C21B0459093FA47F13B7AB07CC,SHA256=51A528C8646009A753C18D3B42A1EBBA87A542F38D46DFAB894A24E5D375D04A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:10.751{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9BF057D757054DF75C84A612B1321,SHA256=6280698B06FE82A8D14909DA6190691E6ADB40A2518313D6F3F0C3CD11D5299D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:07.700{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000053544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:08.476{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50115-false10.0.1.12-8089- 23542300x800000000000000053554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.824{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19BD57789AEBC5BA624A5B9D95FF699,SHA256=08D37E34351C5517554242B9CEF9C1B1AFB6FB9EE3424DE464AD37D910645CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:11.766{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F6D8A8F69F13731C126C624360D44B,SHA256=0AEC44535A1474F691ED02077AF5D9221F772E5C130317BD0508950FCF5BB180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-829B-616D-920A-000000000402}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-829B-616D-920A-000000000402}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.777{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-829B-616D-920A-000000000402}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.778{8D4DD44E-829B-616D-920A-000000000402}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:08.860{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:12.891{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410B5FA9F58A1E19527BF717AE6921A,SHA256=4CFDC9A9DEC3E92D0F8C815496B6D886C3748C98700402BDF80F12BFEAAEAF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:12.840{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFE16D8F6A6B759EA8584B779EC4D7F,SHA256=19A539C07FC38A72DF8B6CAA58EBA0B602C020117C53D5780DC551D4F1C88349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:12.808{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C9FF604637943807CDBFA3D08CB731,SHA256=09E67B59E11B24163C45A9629DC2D1F83A15FC209B4C8A8DED4667DC6C7B63B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:11.090{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50116-false10.0.1.12-8000- 23542300x800000000000000036653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:13.907{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD8615CC248E8137594BF4917FFD33,SHA256=23D21F74BC8764D58E9DF4F0EC803FCA0FFCF354D65888B11C0E19D37F5A122B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:13.855{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255158B5179A4B030FB8D127AF8F2060,SHA256=567F88B614A24B8C25C72362BA08164EF4974CBAE9E35FF5B2FB9CD6D0695F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:14.924{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F733DA345EF4F6A5B793F983C335EC,SHA256=EAB0C0F9D75A5613362B016E9E97731CD0DF5FAE424CBFC3E0107263945B262F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:14.855{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E553503E09E73401C20A376D2B23E1C5,SHA256=5D124EEAA1378C958356D9DA516B66D38F5C3B5EB20E98D6D8CD50FB6F7478A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:15.871{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B49FEC550C3736D988181C32BFFFE4,SHA256=0C895B438D4FEA3883952731EC0A7A7B1D280D676A0A9587137F4E7003360596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:15.938{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862ACB37EEC4D895473341EB81BD66F5,SHA256=53C20131615E4E7B76B1AF53AE81DEBA23C15D4D3EADF80F4DB22822F575ACFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:13.704{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:16.918{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F06B9236A77D70D7F7161A31D1AEA8,SHA256=9D7B8BD826006C1B890ED871A2A269AD458EC0F813B9DA6457A972A2928D872D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:16.954{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B88C406D8611EE8059475422674CD2,SHA256=F534BF5C03B67139479386E5596E7893471572D5C1E6910A000467156C004F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:17.970{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0806CA8686CC90779573CC4BE6104D6A,SHA256=34B2154120E8BC622E66D9488DD2500EFB85A059731F7A20595541D4FF260781,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:16.121{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50117-false10.0.1.12-8000- 23542300x800000000000000036659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:18.985{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB2F2571233ADF265E45462149AB8CE,SHA256=50EE610D6278ACD945DC400C04B850C8BF932AB7847AFD434CD44BB95B1FC6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:18.152{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72D01E0F2EB0CCA4B78440BFA12C210,SHA256=50D679DF2AAFBAD780698C5E3E5031D6BE11AA6DEE88AECFF5393B78C1E6C7D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:19.324{8D4DD44E-5BA9-616D-1400-000000000402}10681176C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:19.199{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AB9A7955AF4215B8E47C950D5EC201,SHA256=43BC69C6AAE394BFF737FDB6001A600498163AB39EB049308BD9E260A6A4C124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:20.339{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:20.339{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:20.339{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:20.230{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A21FCCCDAF62ED36085539FF13C819,SHA256=EDA29431021207B8F3358DD0B714D503678CF471082DBAF53B68FC3A4F51EEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:18.735{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:20.001{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503579772054C678C0CEA96EDD7CC97D,SHA256=9E2B0035514B77B8CA9A3EFE8F95F4A6A3CA7FC5141A1780490F5AAD5D3F312F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:21.246{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ECBB2D16A0C78749AC2507BA0517C8,SHA256=57B703E6D5AC031B3737AC9E6FC3AC339246EB132059944E54C888685AE38FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:21.016{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D67D5D8A422448089643EAEA6DDC26F,SHA256=7509F6C972856175AD6D583B5D8E3615593845F05F5DE12EF573F90AAF0D3160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:22.261{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEC02E5D089EE0B37E07C1263EC2E0F,SHA256=BA6A5947936786EEE19D234C3C6128F70950E5E049D7F4E4CD1B7CA5161CADED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:22.016{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B36DC7DD60C404D2A7784D88E47FB1,SHA256=9D05E2C33E696ED9A68542F3939D2405FE2120DF66183863D278C58522A2A6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:23.277{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468BFC7BE4259FD951B4DE93FE0BADEF,SHA256=D31F5E539A2DB2BCE403707C3EA55387AD6420771E266EB6B8F053B901BF1A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:23.032{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E8071F342ACE85A4A7C61248BE3A54,SHA256=7F8F950F1A81DD4588ABBC4B3B6179215A7C8050AF7FB20F70042E45957C483F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:24.574{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:24.574{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:24.574{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:24.292{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D723720FA0F8E78553762066CF012C3,SHA256=1B261FD03AFEC3ACAA1645ECC2D15C3A4215B53386F027E885AE74F7AF317B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:24.047{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AAEB9FE5752167062D2E479B68A80D,SHA256=D1B1F82F0E77E07003B8F66B3E25A42371CF2D487383799F224A697DA84F190E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:21.902{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50118-false10.0.1.12-8000- 23542300x800000000000000053578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:25.308{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4387559ABFF8F5DB72FAD33DF34CED7E,SHA256=52DF3068EAB5CF20CCCA19B7F839ACF86DC9A9612C8406E9E9B98FFEB00B0718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:25.063{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EDF3A4D6A4640E9C3A90DBCA87618A,SHA256=211E383D1E69ED1DB8D8F797B9C54281A9D1DAD2B71B0007950425D661B978B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.751{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-161MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.310{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD8762E307D795CE9DE40E79EFDBF1E,SHA256=7473E570BFCEEEE0F94FCEB6DF52E6462BB87CCE120F850BA94598FDDD8915C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:24.719{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51634-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:26.079{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A6ABB0B65406BF65E30C52DDABEB8C,SHA256=2E757BDBEB69856C8DE769F9A42D2FAD1BDDDDF9B500DBC4AB012288901A6175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:26.263{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:27.764{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:27.326{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AADB0815635442E4CFE063034798A33,SHA256=67BAF8A2FC6090251BC136A4C7353C6D0B8B30A4AFE539D42A8852016375AF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:27.079{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904CC6871374B18C27EEEB252B4EB867,SHA256=4313BA943D15F6D548ADC3DB0D61BBE22BD4A193BDC63ECDA43F048D5F590CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:28.327{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365EE3E0F7DF04B5D4EB7F1B2608F729,SHA256=808F74C2C67F56AE76A2D12E5704BB2A4E624BF7267D758B5E97FF238E973A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:28.094{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA6EAC287CA9027E787FEBE8421F250,SHA256=93DACBBAFF12818CDB1F99761F04EAC4CD709CDD32457D631172233D5D4AC1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:29.329{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B6A5F7B53482DB43C27D19642F4F8B,SHA256=FE7B5699302F1F3D43EE7DC8C8D8758392D03603E1BA319EE3949623CA5C4BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:29.099{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B131BB2C142AD67B2B9C3ABCEECEFC4B,SHA256=A3394477CFC762D0B5254485FD1FA2BF9FCB61247B056F84920A415A1F67069E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:27.107{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50119-false10.0.1.12-8000- 23542300x800000000000000053593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:30.345{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7935320A423E86D8C740B17A9456B,SHA256=8C1A8AF87C2D68BCD2CAE18DA06D5C5F68218E826A15779AE964185FD734E3E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82AE-616D-F407-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-82AE-616D-F407-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82AE-616D-F407-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.725{6F8252D3-82AE-616D-F407-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.115{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80ECF639C723B779825510D9813A3340,SHA256=50E48A9008F13F59E63293B70CB95E67B84C27ACB293EF187AC68ED7B6BAB070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:31.361{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C205DB42B647F713C82F4CD4C607A7DA,SHA256=9A97FFD86134C1F76FDDB69485F465FB0D7485CDBB1844BFE366307FC1C79E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.724{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FCAF6FD4F3CCBB6FB7C4D6CA47CC71,SHA256=92781EB479255C556841F5CAD0488ED229C4A5F4D82C37F30AC19AA1A34EBE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.724{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABBF6187ED9DBC4CC5BD45E6E0C3E5D2,SHA256=6C0311B7A0974F1626204246D7FEDD9064EF4B28B8F4F5C9FCFD91BC995F0C0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82AF-616D-F507-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-82AF-616D-F507-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82AF-616D-F507-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.396{6F8252D3-82AF-616D-F507-000000000502}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:31.130{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73417C273AF4CC664D122CCE759FA53C,SHA256=F1756BD271CBBC628780BDB1F581A2E287E827892357D58E0283C83D77E2B3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:32.392{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FFBB54273465990D27A97DC93A0447,SHA256=66621650C4B2D102067B74986EA458857C7D1A5206D1B0060D33370E914247A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.411{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F470E4F51D789EFD1610BD8AC9592E28,SHA256=B04B2108D3F78AE0A5CEBD250A1A05EFF8894D864B31732CA589622B3C06C89F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.177{6F8252D3-82B0-616D-F607-000000000502}13282740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82B0-616D-F607-000000000502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-82B0-616D-F607-000000000502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82B0-616D-F607-000000000502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:32.021{6F8252D3-82B0-616D-F607-000000000502}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.474{6F8252D3-82B1-616D-F707-000000000502}31842324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82B1-616D-F707-000000000502}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-82B1-616D-F707-000000000502}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82B1-616D-F707-000000000502}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.318{6F8252D3-82B1-616D-F707-000000000502}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:30.724{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51635-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.208{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB92B6B00F5254266766D5452DFFBF0,SHA256=3C4D3CAE9121BCCEB8B43A88078F97E12EA8ED8E933F50984774C1ACF4307E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:33.736{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49179682661082BB51E18F7A971010DE,SHA256=4D9E20320C33530780AACF1B2886525BE5D4C6407BFFC14537E79716C4388C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:33.736{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA076738FD5DF4877FDBD6A6789FF1AB,SHA256=01C8F8FF7870F13108AEB4F3FDABF250F353F31E66AF57C9B12B31C14856A72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:33.423{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254400E3F15B1194A0A40343DE4EDD28,SHA256=831A5616C86F8DB12A95D2D1B2826C191610D6E0D8F10C11D67311FAD000255B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:33.036{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FCAF6FD4F3CCBB6FB7C4D6CA47CC71,SHA256=92781EB479255C556841F5CAD0488ED229C4A5F4D82C37F30AC19AA1A34EBE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:34.439{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06445F5579D348CBEB8BB7B86C84E5F6,SHA256=100E26EAE9AB540F1E649B668D9743046DAE7A37DA3D8E80A80758F350806E62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82B2-616D-F807-000000000502}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-82B2-616D-F807-000000000502}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.396{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82B2-616D-F807-000000000502}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.397{6F8252D3-82B2-616D-F807-000000000502}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.349{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D27B431B49D40922D3C2A5AF870EF33,SHA256=D6D55D3A042D10D9F46E68E6558CAA4CD1F779521DB806F2C1AC38E69E4F290A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:34.255{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1A2D84A19E9305AF56466AC9E47F31,SHA256=F864DFFD4DB74C64F7C9A82235E63BF12921DA70AFDAA74006A2E38760FDC8DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:32.360{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50120-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000053599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:32.360{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50120-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000053603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:35.439{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB8F0F8B3B30D86447C3916113EE577,SHA256=79C90ED59392F848BF2B6E21F59EB670AA72000D80FE9E295EE19130349E4DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.911{6F8252D3-82B3-616D-FA07-000000000502}39362124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82B3-616D-FA07-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-82B3-616D-FA07-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82B3-616D-FA07-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.740{6F8252D3-82B3-616D-FA07-000000000502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.474{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C3AAD787D66CEC35AE2D725CA8787A,SHA256=DC33D09BBAD23FD3D1659B9D1DD3B5A33F759D4816DA6AAFC0A7A311CBE29423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.380{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639336673CC7328F2DD78767BD542134,SHA256=1C73B40F0550395DE0535F7CDF42C874B725DAE24275D96EBD1BEA30ECC9986A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:32.954{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50121-false10.0.1.12-8000- 10341000x800000000000000036762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.255{6F8252D3-82B3-616D-F907-000000000502}2532136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82B3-616D-F907-000000000502}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-82B3-616D-F907-000000000502}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82B3-616D-F907-000000000502}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:35.068{6F8252D3-82B3-616D-F907-000000000502}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:36.454{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8A2DED8B3EB74BB30837FFF75D390,SHA256=7DBC727DB103CA44EE88808596076DC495BD3E4315E9B7BC6C46C500047B9520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:36.771{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8749F2419164E6BC39CE42681E423019,SHA256=1DD6FADDA3C35A62EF8E9C2CE58073750519D46426121C134449C0AD8922BCD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:36.396{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54606343575521165DD5C415E0D360B,SHA256=BABE3287B459B50AF061BC6187DCB3D7EEBF36C99998D5083AC24EEDAEB871AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:37.470{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A8ED26A8DA638E5C34E824E49D9F36,SHA256=467E7E46B9A406D00B9045E65C5A36FAC911F49C2E91E8D2982F2BEDF391ECDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:37.411{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1B2B7F02A3D4B9FEFFFE8618338D44,SHA256=37D8C0E6657867E311F003E5D81DA1E5E460A9785F6F656276B38D8530161825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:38.704{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D04909EE819080A6EEFB250F80F70B,SHA256=686D809260AD30D781349D79E114261D51A5B04D0E495CF13A31E75D7BC1B257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:38.427{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3FC3684E2A38D3D19BB65092F9E839,SHA256=DB6D6351AC3B705193BC50A71F7F6DB79545D93DBCF1B093D423879DB7B3B22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:39.705{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2EFBF8A7272A2B6DE49C15854C81F5,SHA256=46B8900EC9B1A67C9ED8C17B84935D3971E0B343F19FBA86EDFAB5D1EE55EA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:39.474{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7366EB37347127CF80692097C159C9,SHA256=4F5BAFA239E0C3037D1AAA2E350CC57710BD35EE81B963DB36FA027A5BC0209B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000053608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:20:39.673{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c42b-0x53a5df7b) 354300x800000000000000053607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:38.095{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50122-false10.0.1.12-8000- 354300x800000000000000036783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:36.708{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51636-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:40.715{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C11248E349ECB0690331CA5AAD5FD2,SHA256=B348FA0078D249FBAAB4B07C5D8419A7F0C98B435F51BDD4B39EBD202958D040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:40.505{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70F2961FB153A76865153249B88145E,SHA256=92F73EB4899E24193C97B23B38F61871CAEF530017B9E4129DD0BC2D03F924B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:41.731{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E071D12A1C213D9BC4F94563896364C2,SHA256=4F548D61E171AC9176C15E2F3508408DB869E3244C1ABE7F53D2BD0D9721E108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:41.521{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F940FD98071A2DDB04B79113AFF8926E,SHA256=BFDB9CCFA1372B46514C2053DAED98262D9BD68F1F1AF16F9E6062AE6CBAF116,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:39.516{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-185.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x800000000000000053613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:42.777{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8975EA9639F671871499959A689F6A8C,SHA256=3A5534C76E1A07DCD03472FC5CDFAC90D187EF6FC34F9755B4AEA6C959FC9C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:42.536{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F13B31092116DBB70382B30BD4C092,SHA256=3C7993975BFEE4C78BAFAB750048FC2CE2B1916C461251DA999D8BEA589DD177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:43.824{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238ABD651D8837DCE342615FC7F19C1,SHA256=C2EDDE94B9E628260575012C6B3DD07200502BC1268E8FAC3CD98572427E68CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:43.552{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B951229A21415C2B2EE571DC30DDF41,SHA256=8BBE36B06865FEF96390F4DA7E236215D6E5D6016BEEC915B1DF74E0D68DB96D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:42.708{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51637-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:44.568{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B940AC2C5BFAEF25A9D60FA3476880C1,SHA256=6FC36D728FC9346485CFFA95362EF43C4D6877A2CD7E585E5B20DEB11375733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:44.840{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5FE40EBA7648901E39670F5B7465C3,SHA256=9920E3041F883EB825C5BC924001541BB02DF3A4D1E249CCD946202D6841592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:45.871{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4709477BB9FF403565EE933D1784FD5D,SHA256=18ED2EE4F0F7CA29C8D0FF03DF0C8139B56BFB36F244CE3E1DB91E6A4F96E19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:45.583{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAB805FEC9E866C2A44AD2CB63FC30D,SHA256=08EF6EE246C8FA144E089AC0732C24FFA06036D2B8731F0E048103D121DDAD88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:43.986{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50123-false10.0.1.12-8000- 23542300x800000000000000053618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:45.246{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38AA79AF32595D1FE451DA0A57AFF5F1,SHA256=907BFD1047134C56FF5016F2BB075D2144CF7B1BFED11161A155EB4203228FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:45.246{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49179682661082BB51E18F7A971010DE,SHA256=4D9E20320C33530780AACF1B2886525BE5D4C6407BFFC14537E79716C4388C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:44.996{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-18_142041MD5=ACB41970EA9FD2375B64B378D4CB30B1,SHA256=3265FF5B14D4A49F43D08DC568B6B63A0A2C38F6C09E22666538953EF3336BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:46.887{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872E8E0EBB5498EC5133FE41B7ACCE2,SHA256=D0601F9F10D030B1782FD501A16E18A28D5FAB2E1B5E782F17DA1DEF069EF5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:46.599{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69835B97BF282FD970424C844A733895,SHA256=35D7B4CBF24744F2B1180BBEF26BBDF6131D9964ED358733E512C7250C2933BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:47.902{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552185B37A8C15D09E226BEB6B3B26A8,SHA256=F43C82B15D781CE7720C328FFA3BA57B4D23D610BBA7E7D32D57349063C57446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:47.615{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F2AFACD68FF979B38578E255EB4FDE,SHA256=BB516EFEEC31E7C9FDD10D3C411FC5F49DB8C5D9EAE43B2449DCF051D6B34C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:48.623{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20963D8319F91F6107108F112C57FA1,SHA256=06A9F3DD99CAE01FF3E672DB24CF5B7EB3DD1A9DE8B1F8A7CF77A8B6E87527EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:48.918{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83557FF329876C6AA0144C37C7369B87,SHA256=E2DDB227A867A6235A575228727FD863DEA9BE199CBAF6816F771DC23EE86B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:48.431{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-153MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:49.629{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA65F3750B4820593E44E9804759AD3,SHA256=26D798B7E1356F4C693F8762136713BA44C060381282C1B9374DF361AE040B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:49.949{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08F3E83211E0F82B9BB794BA2B79B71,SHA256=F54E7CE80A80860E9B21416273160A6154FD0D19B98E10D9FA49784851F1EDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:49.444{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:50.965{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226701E5112BBCD088DECADCDA13D98F,SHA256=FD5E2A42AC44B7C71697236BF93C3DD19DC0D8A61836163C8E86735FDBCC591B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:50.694{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A696863EDAAC0FB2EE0C6EA865A1617,SHA256=C9F5D083C64A15AEB69222F1400C7023F46DC0DD028FE1EA18968FF2BC799F43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:49.017{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50124-false10.0.1.12-8000- 23542300x800000000000000036800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:51.741{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7974F0F0976E86433DDECD1F2CAB8005,SHA256=B4366129E681894E5613116745CC43EC43513FCB3C2AADB52A9F59E87F15DC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:48.615{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:52.772{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC713DEE04716FF2EEE7480AD085D0B,SHA256=DA1359DB6E597FA76FADD326BDB508F2FE3AC5DA87034083BCE005E11D28D270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:52.012{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C72CA996C09AB9EDC130F695E42B6BD,SHA256=BCD23D2732776C8A14C0570F7B541EAFF4DD055FB6A4CE32EFC45FA97455A7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:52.225{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5E52CCF20C68B6273434AE4E3D181E33,SHA256=F45E5554A6889DB6544DF68BC69ABF1895F333031CA238882D9EDD1C9540945F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:53.788{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B9594A5437BD171C548D98FCDFE32F,SHA256=15EE33E246D1D21C4F38B526B4AEF954DD49896350764E7B4F2C428D244C75BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:53.027{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3839D31B95F746A8EDBB9656C4564FB7,SHA256=DF46CC0B9EE5108EE4A5855119DCF68058322AD618044E469C3B53A837E07CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:54.850{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A77951BAF8FDB89155019B7C655101,SHA256=5F844A52CF987B2A6D80BD443C901C578586FE7BE7C57EA91665C0C57C596F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:54.043{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C149BF9A5DD4DE6054F00EF4EE376FB7,SHA256=079647EDD29EF34250685D53AFFF82D359E05F8E73A736FCAC2C0A0F59F4841C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:55.913{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C368B2185B16C17F920AFB00013FAA,SHA256=ADF408A5803FC4174BCFC05BEDAB962B76347B84474FB3FC30918539D4D46CC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:54.110{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50125-false10.0.1.12-8000- 23542300x800000000000000053630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:55.074{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C964137F7223F0B0381B689109E576E3,SHA256=624DB5CC0B6A194E89CCF0F5A3BB6FDBFD5CA105253A537E0737DD8C7BB6D8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:56.944{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69874244E109605AEE7A6094C1704E25,SHA256=66615442CB6EE74F27848348DEC459EE04D79A2293A6A343B6712B45EDEF9C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:56.105{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459AAEDDD267256E1EFCB69E9CC71399,SHA256=BBE07886B92F4336E5B9C94B24BB43AB302CDF4D24E24C36FAA259E53C2C7D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:57.975{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BEF4DC9BB4DD67F4F49862027472CD,SHA256=C5B31BB8B7B7E93393A1F898F17E4C0D9E5F8D2DE9EA0DD5A36A89339A8CA8F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.371{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.355{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.355{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.355{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.355{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.355{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.355{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:57.121{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8A01A8F744A7EAC6D35C20AE2789BC,SHA256=B63FED7BC9F64DA67D73AF3F0E20E80234CE510FA4F2F489399FEF5A23FC3898,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:54.636{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000053648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.324{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:58.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA12CC3776062F2F1D2F648A292515A,SHA256=CE544C994FF90176714D522695EFD38F0BD8181B8B5797370B14A78A7AF9F5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:59.007{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC6436CBE3070768D6D5C4CEC5D6BFD,SHA256=2324B8E07E7ECEBB66141401EA7D7537A9A4C99F11C4DDAED025A0BE22A011AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:59.168{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F65D34CD134375871B2286452F5079,SHA256=114E039CF7877515FD4BAE014BF16A7DBC33667C9CBAD7916DC8CEACE761E565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:00.038{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B40D3B6ABF55B6ED5C71DDD06C72FC,SHA256=361FEC8D36B6FCE94EAAFC0F4BA2555AB189F14CD2CFC173EE1BD211131BCF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:00.199{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4229C15CC075D823A354617DB0B221,SHA256=A83D9307C678D4EFF43722AC9ED06AA25CAA866C46EECBC1E4A973A060AABEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:20:59.860{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50126-false10.0.1.12-8000- 23542300x800000000000000053651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:01.418{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A6C7EFA85414D18BB9AF6673720964,SHA256=546E2441D583FCE5B971E44FFE4A46F7631B6904EAABFDE6FF27C0EC2AAE128B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:01.069{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434BCB9210FB60C8E15F13F5D72FA799,SHA256=2FC1325F4C0D1805198C6251A92999E2B47BC0A6957A663EF59525F50C174271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:02.433{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A003C871B331C7F933B305CC89032B3,SHA256=8BDEB2D8CAA0494210A7F98DDC8B7772D1EF87B11BED14F3B96D9C4CE4937D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:20:59.693{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:02.116{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614853274C1189060609E9D8B3D971A9,SHA256=91B75E46E5ACA68E87D969F02660AC607417D9A30D9A6236763A1CB941CDF2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:03.480{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81DF041D2C4DE1C0DF5BDAE5CE95483,SHA256=67EDED0B180A89AB979DB5051F4AF7B6F3EF8DFABF2B9ABEE28027DFDD9D2C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:03.132{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7F8E37724019B70F1553C26FA24338,SHA256=964B0F9CD09D99272C7F4D5E3B7A466CFEF06CE81E8ECC17451857C19CDB7DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:03.027{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76E66EBBA69DEF359AEF6E5F5CD1958C,SHA256=E7C5DE495103A472D2D56FDE98CBA65700E6EB667C5903B83880FB9A16FC5C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:04.511{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5891E53C248812E58697BAE8786D7893,SHA256=314C26C996A82752059F4B0ED84582A9C6588CFC2F7049243DCF0410AF6CF37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:04.147{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E89A9C2D131FF3BDFC9A20E121B4980,SHA256=75FEBCCE96A5C1D0F46EB8B77133FD1561431A2FEEA821BFA29ACA4C8D9A9F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D1-616D-930A-000000000402}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-82D1-616D-930A-000000000402}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.980{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D1-616D-930A-000000000402}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.981{8D4DD44E-82D1-616D-930A-000000000402}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:05.543{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651A7118411C7958815B978161A3E7A6,SHA256=07E81FE48AA8B9480F0DC39D01B3998CEFDC280E3088A00E190AA84B25843AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:05.194{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755BAA74C392A67F2D622DFDA4C9F55D,SHA256=3C0D221B8FA3FD47EF4CA47251F66054F37D0F9DA2F063CFA5DC6F18C1E6DC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:04.907{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50127-false10.0.1.12-8000- 10341000x800000000000000053675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D2-616D-940A-000000000402}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-82D2-616D-940A-000000000402}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.652{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D2-616D-940A-000000000402}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.653{8D4DD44E-82D2-616D-940A-000000000402}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.558{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7175B933B1FA4D1A4C4A2E5CE9C31BD2,SHA256=15C6BDA6B4D00E207CDDCF5C4BC0AFA56E082A9295900B7EF76B84F07EE88F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:06.210{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D1BEAB82B4B8E886AA368776C9D940,SHA256=998168662A5E571586BE55309993B82841900E1B144AEA75520AB5E0E3BBED6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:06.152{8D4DD44E-82D1-616D-930A-000000000402}28686224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.996{8D4DD44E-82D3-616D-960A-000000000402}50683616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D3-616D-960A-000000000402}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-82D3-616D-960A-000000000402}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.824{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D3-616D-960A-000000000402}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.825{8D4DD44E-82D3-616D-960A-000000000402}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.714{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F347D2AC630DA860C21479CB5F2F12,SHA256=A89DB322301710CD76104402C4D4C12B5E5249F4FE896A99CC753A4CC0E99DB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:05.693{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:07.225{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F7DEF07892ACB460C784394E3C4EA9,SHA256=D8220ACB26D86F6663D0D285FD9B24C39DF131F118C3F781BC4CFFB965DD7B4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D3-616D-950A-000000000402}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-82D3-616D-950A-000000000402}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D3-616D-950A-000000000402}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.324{8D4DD44E-82D3-616D-950A-000000000402}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.011{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE3CBF22D87FBD4F364475C77D7E30E,SHA256=31C33A2EFA5574F5E7BA4967962011E60D2874657867EBDF123489E4FD8AD6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:07.011{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38AA79AF32595D1FE451DA0A57AFF5F1,SHA256=907BFD1047134C56FF5016F2BB075D2144CF7B1BFED11161A155EB4203228FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.715{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF8DF1A3E8D8FBEF3FB77B8CD10603D,SHA256=2AC986AD5F3F8C5EB3BC41109A5CC18BB9C856FFAB862BF29F8B57A588E20C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:08.257{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8661F93F393C56B43E9C52737EF919A,SHA256=C7DEF77A6EE661F737512FAA27248C0295C07866D23A4645B8DCF4EBFC6BADCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.652{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.543{8D4DD44E-82D4-616D-970A-000000000402}70166988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D4-616D-970A-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-82D4-616D-970A-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.402{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D4-616D-970A-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.403{8D4DD44E-82D4-616D-970A-000000000402}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.371{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE3CBF22D87FBD4F364475C77D7E30E,SHA256=31C33A2EFA5574F5E7BA4967962011E60D2874657867EBDF123489E4FD8AD6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.746{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014F35637D73A1D668C8955C09B6A593,SHA256=1A49F1A249908C6613A8AE0771FDFB52D00F3DF782DECE01BBE64F2E5E8F4552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:09.412{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:09.271{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7CA0028EA35EB3881ED0779C70C7EC,SHA256=6DB51C2C37A117C616CF976A24AC4BF8189EFDBFA0107BB1CB25E0DD5894EDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.403{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E970B5B9938443CFC71081D4B53FD01,SHA256=37E7E58F75FCEAD3C9526387657CA2F27A99AC11382BE92EF8096D69D8B288C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.246{8D4DD44E-82D5-616D-980A-000000000402}43166700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D5-616D-980A-000000000402}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-82D5-616D-980A-000000000402}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.074{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D5-616D-980A-000000000402}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:09.075{8D4DD44E-82D5-616D-980A-000000000402}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:10.840{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC2A269512729E53E68661A99ED8EF4,SHA256=DFECC9AC67F18484AA8538A8055E298EA99AF3C6B1C83B31488F6E5EFA5619AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:10.287{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9F4B52B962813735E4D7A5514D7F57,SHA256=5B872BACE19409C9B9991A94BABA1F931B83EFFB1A320E22436C1744281A3DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:08.485{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50128-false10.0.1.12-8089- 23542300x800000000000000053720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:10.090{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-18_142103MD5=24030C3181F00A787C41588BA9A839BC,SHA256=4AB51E1D499CA244029FECE66E7B549DAD2AB6F5BC9FD17873C32F98A0A32011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.856{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142363F82550F84F25132573F512D99C,SHA256=A0CE9273DB92636CEB3962AE4CDA064D35A2A890CBBC1767CCB9EA5AC90A35D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:08.880{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:11.334{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAC5A29DEE33FDF745B27E6FB6CAD29,SHA256=FD4C42E8D892AEC7B2E7284E7A1551C8F0C02F76F10AE75FDE5583A0E18DC895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-82D7-616D-990A-000000000402}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-82D7-616D-990A-000000000402}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-82D7-616D-990A-000000000402}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:11.778{8D4DD44E-82D7-616D-990A-000000000402}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:12.856{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E64CEF3549C44667AB539783C15F6F,SHA256=10F944E53D084AF42334483BF71A7F304A886E205E6566BC75FD3332EC846D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:12.349{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656837B56CC795665D5CF73ADA55CA1C,SHA256=722FF724452F9725925BE0A40703E5DAA8A747FDC0983A476EBB64093C578C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:12.809{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A456278EE3F4972796F59800A73DF0BB,SHA256=82540924B4A52A18EC2ADBC4619420DB49C03C94BA4976EC08A15C7C3BE90DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:10.079{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50129-false10.0.1.12-8000- 23542300x800000000000000053735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:13.857{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86576F548CFABC422F0F1E607998CA8E,SHA256=E5E1F3327481AF0F9D1AF20C771180C44F5D797B69D1A4EEBE864EBE4E10BBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:13.381{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7E3E5750C4DEE2222363F185A3BFD1,SHA256=15850619A73DC5ED1AE3B00CDBADDEF0206C224252983E578B8E9D31459D6808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:14.857{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E33A2E0C72BD42F858D6BA6C0B5A85,SHA256=329AA3897D16E83A8980CE9859D6340ED51FABF861A410EC078A0525D5271B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:14.396{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6A5BE8E9AD28475E4D614909BA7C0D,SHA256=EFA01312695BBB4E208AA226AA69D35AF48B8075544D5C4F40D1F6F69F32BDA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:11.645{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51643-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.858{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9F34A395870B081A3526436B1A0820,SHA256=75FD966AD04C880B3D3867DE2A5F6BDBFDD18A9CAEB4FF234F2161BAE535C14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:15.428{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B09AD6F10855D26A43E1AC7B974B1F,SHA256=56A5A70DCA134B64F23BF7C0065F17B640D16ED610F302417DC75EA8049E66BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:15.717{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.858{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0631054F048BD800162F90583BEBE918,SHA256=1C0477E8F2E470D6AE636FAD7D22A6F585D9F2716939A0A0B3911A7F45913C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:16.443{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F77816873DD90B43FE007082787DCA5,SHA256=0B4637ECEEAC017E6B0E96FBA57FA47F7E9CB1D8523727455699CC571F38E4A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.545{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:17.859{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6651FF02CD3374CAC643B08D6E9C1B,SHA256=F5F6187EE79B7F21A9699356036181C196EF9106851E89425604CDEF7CFE4FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:17.506{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BA57B6DD3840E04982D92B65A5478F,SHA256=D30D1F26B7AC3C2E271B1252506360739368BB14FD7330E4F4C300619989C465,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:16.019{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50130-false10.0.1.12-8000- 23542300x800000000000000053755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:18.875{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ACC7F68EAE9F1D028127A6F9ABBE9B,SHA256=F7FB6D163746447B082143ACC9BE7F4C7D1D78886DF8C764014F97628EF69AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:18.568{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAE9594B6C53401C25F00CE37EDAC2E,SHA256=ED5F4F80BBCC87874758D24CBC05631FEFB7B8C1436A5159D6D2711ECABFF988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:19.584{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A72A4544A6550AFB873EBE03338C99,SHA256=CB5D4381DC9FACE260193166E6547FB0D98BD1457FAD13C967F39F96BE7A8683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:19.875{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5663CAD02B55FB188072EC9B95491DC5,SHA256=C730078B3147B8BC59A49667F36F88E2B21DAD808B30D78E6E96C8B50293A0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:20.876{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141B1C56D98E82CA0C855AE38841F7AF,SHA256=2A184A77AB9BF27C0056A20DE4E0D010E22FAC698CFFC4019F0B938D7123DA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:20.678{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4404C47C6EF2D5D03B8CB38C51DC918,SHA256=8A8324C9E7373826DFE0C5C45CF3112CE7E65ACCCDB06EF258FFF063DAE2665B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:17.551{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51644-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:21.892{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9EDA5CAF76FD54090AA21703283E41,SHA256=8C01CA95EDD028B4B18AE2EC8EB09E9F9B0A5F0667A7849200A333C73329746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:21.693{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED0E39C2A4C2AB06858D8C4C9490602,SHA256=765057A718FA23A885969C6C926C2F32BEEAA9B7046DF63792520BB71B5084F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:19.200{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local59539-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000053758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:19.200{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local57450- 23542300x800000000000000053762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:22.892{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51F61C1437C020C82CEDE7123470DE1,SHA256=BD989461007853A398E85894128E79E35F3C790D2CF2CE694584A184CA78C10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:22.724{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAF2023C6844C266004350E75098A72,SHA256=855B3BCB26F448AA745F0ADAC3B30BDA322F9239E3BF4751EB555BC360F7BD66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:19.204{8D4DD44E-5BA9-616D-1400-000000000402}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-185.attackrange.local50131-false8.248.141.254-80http 23542300x800000000000000036839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:23.771{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EB5874FDA0F9F567CD856359584897,SHA256=5F7FFE5F5B3E81A65FB4040CE51995EB5052A7F3823B26EA8A73FC17B198DBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:23.893{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C6D890CFB46A54EB03249ACF5248BD,SHA256=3AB2D5F9C17058E3BEF288C95E050E7F9A6FB69CA82A51D856A2BEC5BC3248F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:21.021{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50132-false10.0.1.12-8000- 23542300x800000000000000036840Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:24.834{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BADAA6D61D08E53E7467056BF05A1F3,SHA256=B9A632644AD5A93097F342ABBCC2D064F19AC7BF21F10C44D8581E250BDDF5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:24.893{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F770DFAFA96AE4B1AD6D7D0BC391A9BC,SHA256=CB693BF2B76C760E46C32BA01EB26C77FA7A781BF9751708C748593C5CA59CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:25.894{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC77CD26A05CFC7F47365004E4ABF9D,SHA256=FC94E4A5D4A53A7A2A8F9DA1A8D548F287197A3F9B1D995ABD5DB4828EF3EF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036842Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:25.849{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16FF55C770B002988E2A68A59AED4B5,SHA256=FE746F4569590EC878BDABCC37BDCB5AB8F10D62B3CE2432358A1A8095B893A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036841Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:22.567{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51645-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:26.894{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DF07BBAA80777999AE7E6B93317F95,SHA256=9C2FEF88A23154E06519F13C0F55665FBC866BC0BC3D5C80E2F60753C399D4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036843Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:26.896{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5B404F141E49600E213AAC02E4C093,SHA256=04F8356BAD3D33E09561DBE48FD1EF9F3A51BD1CBE4C59E75B1EE8A447AE90CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:27.896{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9BA4F6579568CFB765D0EE37DC7A20,SHA256=120BC70682E1DFCF76D2EA959455EBF97270ECB534460FE77BA5A778133090A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036844Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:27.943{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F92694ADA7FB051D203F1C0B8D9125,SHA256=9EEF6C0DE8D740B86985ED6479F992012109AF9B6A239935C45907B41AF1D6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036845Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:28.948{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248145051B586ECA91C6EAD261B8CF6B,SHA256=16FD4135149077FF6DFE9C4D73A7CDC5A6584BAC80E42E2F8863A1FDE8BF61E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:28.907{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E98F2FE53CCBB46C5498A15CBA1003,SHA256=127A97F1C83C19EABC24060A2051A1E722BF766DA6F16E89A055B620EF4E8865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:28.305{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-162MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:29.911{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774AEB32C776F3B5294A2DC5B8AA5CBF,SHA256=4247F3A660A93AD277F6F219DEFD7D6E76A8E7F430D5014BF48CF4E2221926F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036847Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:29.979{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66089A0EC8DB29E79F36D39B1EB0C1A,SHA256=3CBE951EC8923BE96F955998058294FF5A95ECE0DA1EF872BE5DE301357B5ABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036846Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:27.723{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51646-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000053772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:26.977{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50133-false10.0.1.12-8000- 23542300x800000000000000053771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:29.314{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:30.911{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E4C31B60A42070093ADDE9135AC808,SHA256=BFA9D25FE1589BB2F941482D227B71D53AC3C034688BE6C820F962D22D780C7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036860Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82EA-616D-FB07-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036859Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036858Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036857Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036856Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036855Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036854Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036853Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036852Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036851Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036850Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-82EA-616D-FB07-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036849Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.729{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82EA-616D-FB07-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036848Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.730{6F8252D3-82EA-616D-FB07-000000000502}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:31.927{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE80968A87C3DA989E7117EDA8DA1440,SHA256=F015FD44CEE251352C69644D57818127304E1027EB8242F4D7BD2F50B28C1781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036890Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82EB-616D-FD07-000000000502}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036889Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036888Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036887Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036886Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036885Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036884Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036883Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036882Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036881Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036880Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-82EB-616D-FD07-000000000502}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036879Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.917{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82EB-616D-FD07-000000000502}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036878Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.918{6F8252D3-82EB-616D-FD07-000000000502}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036877Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.745{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E3888832D87D79EEDAE9D81834F216,SHA256=F56B401148B627583F8E0C7FB4A308FDEF97448BEFC4B61F0DCC02ECE0D2956A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036876Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.745{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCA36D706358E738971D07892FA7D838,SHA256=B385A2D57215D41984D235A1705071B1DE6A1728C2F260C38B16C97191F3F5BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036875Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.667{6F8252D3-82EB-616D-FC07-000000000502}7042000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036874Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82EB-616D-FC07-000000000502}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036873Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036872Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036871Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036870Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036869Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036868Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036867Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036866Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036865Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036864Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-82EB-616D-FC07-000000000502}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036863Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.401{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82EB-616D-FC07-000000000502}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036862Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:31.402{6F8252D3-82EB-616D-FC07-000000000502}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036861Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:30.995{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94666CF8F97851961A07654E36B46856,SHA256=0546392D47465E3616604758257A51B621ADA737587FC4DE347B376113B137E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:32.928{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2B6C42E24B11F0965BD96B501295B2,SHA256=61B9BE63C85DE97AD879999CB6DCA797B3949E159318260EAB992DDB5B491C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036892Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:32.932{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E3888832D87D79EEDAE9D81834F216,SHA256=F56B401148B627583F8E0C7FB4A308FDEF97448BEFC4B61F0DCC02ECE0D2956A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036891Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:32.198{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6B978EE79BEA827B06BA1FCD0EF299,SHA256=0C2FCEAC53F2B2985C9D65022392551B3DBD652A389046632E259A1153FB8C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:33.959{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A5E5DF089393B1484400FE8689212A,SHA256=7740E6018994A614E8149000FE218D7D25992DC711F1F5BE4E126509A25F96C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036907Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.511{6F8252D3-82ED-616D-FE07-000000000502}82456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036906Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.386{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57101595DE504F36C728E205A7993392,SHA256=959EA7E8A2BE2784B5D448C23C0F31FCC9B7622D1C02B8A2E0E99C75479FD8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:33.537{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CCBD6D888AC6CEB0741C6CC53B43B71,SHA256=E73549165A93BAD24FD896C395EC8B3B880DC8C6339A3F0658F91B345BEE5F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:33.537{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45014033AAEDEA236C954ED83CA814D0,SHA256=7D0AA9171172CF58DAB1FE91207998F60CA1F1F5140B2ED37B90DD058ABE7D54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:32.025{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50134-false10.0.1.12-8000- 10341000x800000000000000036905Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82ED-616D-FE07-000000000502}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036904Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036903Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036902Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036901Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036900Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036899Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036898Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036897Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036896Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036895Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-82ED-616D-FE07-000000000502}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036894Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.323{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82ED-616D-FE07-000000000502}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036893Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.324{6F8252D3-82ED-616D-FE07-000000000502}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036923Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.542{6F8252D3-82EE-616D-FF07-000000000502}31963760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036922Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.495{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CAE8C267B3111CEDF1D530C094AAB6,SHA256=6B2DAA18CC0ED1ABA8EA839BA6743EB6413A1E40DCD237A0C389E17C3E99FC29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.866{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000053812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.866{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000053811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.866{8D4DD44E-79A3-616D-3609-000000000402}48004240C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.866{8D4DD44E-79A3-616D-3609-000000000402}48004240C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.851{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000053808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.851{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000053807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.835{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000053806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000053805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A3-616D-3609-000000000402}48005816C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A3-616D-3609-000000000402}48005816C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.819{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.804{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA9-616D-0D00-000000000402}9042524C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA9-616D-0D00-000000000402}9042524C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA9-616D-0D00-000000000402}9042524C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA9-616D-0D00-000000000402}9042524C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA9-616D-0D00-000000000402}9042524C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA9-616D-0D00-000000000402}9042524C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-79A3-616D-3609-000000000402}4800632C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:34.788{8D4DD44E-79A3-616D-3609-000000000402}4800632C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:32.369{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50135-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000053781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:32.369{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50135-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000036921Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82EE-616D-FF07-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036920Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C121806DB330E34946756724E933473,SHA256=EE45C4A71B5E732460DDC687657589D73F00E8770228596D4BE98E536FA67024,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036919Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036918Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036917Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036916Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036915Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036914Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036913Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036912Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036911Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036910Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-82EE-616D-FF07-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036909Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.401{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82EE-616D-FF07-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036908Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:34.402{6F8252D3-82EE-616D-FF07-000000000502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036953Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:33.681{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51647-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036952Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.636{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1362D5F8E8C1F6432EE17E05676C61A,SHA256=CF1A932F08C617F0F3F3CB4D7CC5CFBD92AB28F452B1222F0BA5A9E95C9FBE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036951Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82EF-616D-0108-000000000502}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036950Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036949Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036948Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036947Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036946Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036945Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036944Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036943Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-82EF-616D-0108-000000000502}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036942Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036941Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036940Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.573{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82EF-616D-0108-000000000502}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036939Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.574{6F8252D3-82EF-616D-0108-000000000502}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036938Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.542{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7075BBE64385A53F60E71442C9E54BF1,SHA256=564036FE9EBFD700DADBA4D02BAFB6B2729CFD79662570FAC21ACA86E1E33097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.742{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.742{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000053827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48005328C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48005328C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48005880C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48005880C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.726{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:35.320{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F6ACB76E553FA28E8187234C55F033,SHA256=80DC2A002604439AFC89587BF0FC29336EDD6FAA562DE10292788CDC6F0DB9AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036937Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.307{6F8252D3-82EF-616D-0008-000000000502}27201948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036936Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-82EF-616D-0008-000000000502}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036935Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036934Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036933Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036932Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036931Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036930Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036929Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036928Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036927Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036926Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-82EF-616D-0008-000000000502}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036925Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.073{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-82EF-616D-0008-000000000502}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036924Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:35.074{6F8252D3-82EF-616D-0008-000000000502}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036954Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:36.573{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EB4A5F6BBDBF631E190A908A99901D,SHA256=02283B28B777866FF47BE12D6CD4CE6B222E3D1A8EE0C0485580BF4521A551AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:36.320{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13993995F9DAF6873AD9609290F81F93,SHA256=9E54C00B0EC335A0ABC1A628C33C0C28C7B76FFD6C272F0C8280561D77454047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:36.164{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-18_142124MD5=D01E5D53A24A301A925A9172CBAB1543,SHA256=FC3856F0DA03160A1CDB00B91AE744777E05650D722A0E959FBB9946B30CEB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036955Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:37.589{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F70952414C2D82C3BFD2C29892941FE,SHA256=A37FCD6876115A0EA2F4B17A24530690A2D2078AEB9BE202A16730F90DCC7E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:37.539{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD88C9D047E357755CE3E81F177E21B,SHA256=C7C7B35F4D773DF6F05BF19AA2A4A793F7E9E8B94F26EAACC62BC70E4B963093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:38.556{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7A6EB1FC0C9288AFA39FB24C6921E8,SHA256=A62DC909AB2C9832DE6B21CA968E64C9C9497462B5B72EF5D5BB24E6F0BF5A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036956Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:38.620{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9394F888C8FFB6342B3A7F65295D2B6D,SHA256=B25FF168013F2CD25BB761FD465C8B759BA19B4DB46CE1DFEFF09ADB3197CF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:37.075{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50136-false10.0.1.12-8000- 23542300x800000000000000053834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:39.556{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA30AE2DE8323D5576C6B75A04294DF,SHA256=84F0487309CB0CBCD821DEF3CD630CE19B8058FF9B6FD1DA613D00D86C8A4894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036957Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:39.651{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208C0027D49080D4E1CAC8C1FD104C70,SHA256=3E6630869ACE1B74DC7DE623AFEA220A8F43033EBE20DBF8D7B7FE5FA3679721,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.995{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.995{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.995{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000053841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.588{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0542BAAB825332E0C762586A379EB17E,SHA256=E023E82B23D8DDD7869CFBEAA31A14527D0729174189C4DD236CA300129E1CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036959Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:38.712{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51648-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036958Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:40.682{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C5BA40898A1C6392C457030CEB929,SHA256=2E6242BAB13DA5AFE0A657F459E241692D788BC373A9EC069B63E06BD75445A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:40.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 13241300x800000000000000053836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:21:40.056{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7c42b-0x77a39f42) 23542300x800000000000000036960Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:41.683{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F667EDBF6B26BE4CC47038A7340E0E,SHA256=3C1331F5A389FC6DC81057DE1F9B01E65EB0107F24EB371F22C6A72E03BDB6DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:39.888{8D4DD44E-5BA9-616D-1000-000000000402}496C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-185.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000053858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.589{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B3EB0C41F8B41E20D96A4815FA4FB1,SHA256=FC42B78DA7DE1EAF8E3C452D808D0E5DEBA149525016AF3EF10F807FC7485764,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.573{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.573{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.573{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.557{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.557{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.557{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.557{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.057{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.057{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.057{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.057{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.057{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000053845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:41.057{8D4DD44E-79A2-616D-2C09-000000000402}19321188C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:42.589{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300273F2F8E5E479AA82B282BC61C13B,SHA256=D6BC4EFDD682ABB62D7548BF804A3EBF33E87B0A077B631954E5D492DBD56D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036961Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:42.698{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5CD2ABBE22BBBFBE2FD0FCFACB6408,SHA256=2274EB870FC66E98EB96B493D314AFAA729A252E6C80CC14B3612D92A72F59F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:43.605{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F79C55FFC894833B91DE3136BC23479,SHA256=9C76A6590C6D796BBB0B6A092091921F0CA8AFD23E74EC14EDE6243A31A30EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036962Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:43.714{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778E2D83F50D40FA10513F49934A9DFB,SHA256=D2BC6F2294727F4967F9E2DDBBC80E084CD54580683C45B18434ABFFB1755D62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:42.953{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50137-false10.0.1.12-8000- 23542300x800000000000000053862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:44.653{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4559205D3348841D87A02BCA716F879,SHA256=393CE5088723C04B479FB891E5B601184605F4A34F589B7C21E3B147E6B31D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036963Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:44.729{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0011AA3255FBDC91450F636E5006A810,SHA256=4B990710A4C2A9D422276CFD0FE5C53729738FE3B1BA98C72FFC6B93ABAAEEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036964Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:45.745{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F00EEDFF9B8DF54D280486A01755898,SHA256=6F35B009E2B49309C9D04E8ADEF1C06124A199C89C94B4F3F25120D558DE4F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:45.684{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F69565DEA0BF3C49DB73C958A473448,SHA256=E8D212C4C4E0319BB3E9878AB4ACBBC41D0057865C8F79D47A5B81C107F62E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:46.685{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E8ADFD5BF1AD87556048E10B159CCE,SHA256=B4C68A7AD1FB5717D5A7669C013D2E4E49C0332929DE9D50B50E8C82D47302EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036965Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:46.761{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ED16D4921C4FE0B3A456EA7B0CB462,SHA256=77F88D68DAA09C03E65D284AF1B748A2637BB5F40926F7211B54A101974D82C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:47.857{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17E207B61A9360D01AF078B3EE3F406,SHA256=7DB0D2D635F1007B20FB2E5AA8091A88181F4D1D4FB9A01BA7057BD9AAA836C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036967Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:47.776{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E384046C743D7618A73D93C5BD4D9DB6,SHA256=910E9D2127C1816520D485CEFD4C6A40B9718916EEA8FE5DE95B5133453ABFE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036966Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:44.743{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51649-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000053867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:48.969{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08085F6E41EEB5EC630A29EC4DB4E7E,SHA256=5686E34D584BBFAB8F72B494DB630693CC961CE485363F8D044B5C85B946A5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036968Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:48.823{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA47D3F57976177F3962CB528BCA792,SHA256=6D1CD904CA9914981CA29F240A269BBD7676C38FEA26BB66FDDAA8B4F5AC8B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:49.985{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1146591A108F0E1DCB339CDC583848C,SHA256=D6881CA78D6AF5039C74547E726FDCE98B1CFCC75646162F18F31287EFE23462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036970Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:49.967{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-154MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036969Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:49.840{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3E4DE492A3756114A39F9EE95B40EE,SHA256=76F58B0203FFA50A915B8C3A40A624888469AD5910B68043536CE4E1D5B4AF00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:48.111{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50138-false10.0.1.12-8000- 23542300x800000000000000036972Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:50.981{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-155MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036971Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:50.855{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2285CA170F2E92D0E658BADF628EFF,SHA256=75743C18654F5596490D8DD4FC3146113A2422188C709FECC68D5D3B68064B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036973Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:51.856{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB77B885FDE6D737997EFC0A9002521,SHA256=FECA9D4989F4B7D04A0535CD7E7E9D856650F744FEB3BBB5D68C2378FCBCCC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:51.001{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A03B9EDBA79415B63133C552491452E,SHA256=868CCB8270078A87404C8A802F1066BF2C9D4F64229D758173ABABBA21FCEEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036975Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:52.887{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6AEC5BCDA6AF77F77AF3C97BE02925,SHA256=312065EE69AE46C16F2C271DBF0267E2BF421A857B4FD7E6707EC001652D9CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:52.016{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38316F424F75A76332516E645583E5C,SHA256=C5FF3F19BCE2450B772AA35837F4BDA1F431F12D93462DC39546EF05C664465D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036974Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:52.231{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EAB824FD3DF0DE277AD9635B52910190,SHA256=7B68089A06B1A9661A7F22CF6A831ABABF53F1D7C36DD1BA3C3A02F0EA878A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036977Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:53.903{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0265D773B82079366C5E3FC511B3DB,SHA256=B6B34FEF63F74B22429053B94F20C51CC65E94358973A84ADBD93DFE2FB1705F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:53.032{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5D65F35D067D116C0FBA7CE9B167C1,SHA256=BF159D9E6CC666FD61B4D50443F6FD273C6761EE1B888BBDBD155F897DE9FC87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036976Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:50.695{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036978Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:54.934{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51910794F89AC567E2E20A37BC039E72,SHA256=1CCD627B987C14F51C2FE38BAD501B00E05934BFE9F685DF509E0657F196F900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:54.266{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2A09-000000000402}4840C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:54.048{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E784C8B2936E5CEE8E3D9645721C9AA,SHA256=7D35D423FA8700875B0469A7568E7C1539547282C512DF9A5FBB6743563FE4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036979Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:55.981{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9130CE41DE4B4B1C7920A1029A8AB25,SHA256=48A91239875AD08797044878E67B009DC3E9E480C1574147A02917D09806ACAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:53.849{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50139-false10.0.1.12-8000- 23542300x800000000000000053875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.063{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746CD5B9C6A231F957BDD9F44D4317E6,SHA256=37647C23AF20A8DEC74FB7B809F1BCB5215A896B004B48DB7DBF5B7E55162660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036980Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:56.997{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02018243C5013875FCDAB9414BEEC96,SHA256=F5978ECEC0C1CA436E2D97FFAD4AFBFC0575AC29C566968D40BD16B221C87773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:56.095{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000053877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:56.063{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EFA74634756D469E02F2C99C88823C,SHA256=D06ABA598932D552D0F0325C12CAB490857C423FED607FBAE8B5FB8093DDD644,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.946{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50142-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000053886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.946{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50142-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000053885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.843{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local50141-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000053884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.843{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50141-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000053883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.836{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50140-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000053882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:55.836{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50140-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000053881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:57.079{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C6C7826E58F51803413D0E803BDE8D8,SHA256=4FFF9C766A94361E66B7C368ECCBBC0A2BC1F0821B90FA87FEA8F89CA38CE580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:57.079{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CCBD6D888AC6CEB0741C6CC53B43B71,SHA256=E73549165A93BAD24FD896C395EC8B3B880DC8C6339A3F0658F91B345BEE5F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:57.079{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437F86C608EFF7914263F5758A6BB680,SHA256=E135E2DA0373C2F358B14C1F6102261E651FC4D8BB852D6B424C8A419EE7DD58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:58.094{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E1635520D9139D302704666EB7016,SHA256=B81BF5260CC9A15D85AF8EDDC2BB0745A3E180E1788D796E1EB70BBAF47B5EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036982Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:55.744{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036981Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:58.012{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA837111CF6CE537A5394081FE198DE,SHA256=8A099DFC1BBBB7F39FED54B6B481E91018E58109DB6209A8AF7E711BA5F33A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:59.110{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE40E92D9DE793D4C8E11D56EA656249,SHA256=1107167286697FA2898DB87CA536105BD8774937928E013FC59B5AB79DA20050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036983Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:21:59.106{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BEE3A2AF0ECAFAF7C47BD39A45CC43,SHA256=3914EE34CF251084C1A7E2D09E153724E16DC101FA1A7BBEC14AD0A99A36F31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:00.126{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD4248B4B5358454604F3652743B8A2,SHA256=F696144F09F42F8B1B5ECD243F555206349D3158FACE8250CAFDF493D32E22D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036984Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:00.122{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6778F3774224341953BF78D990F281C,SHA256=91120E067A2DFDC85B8CC12738DE8C8180029765BB4C1C4CE93C7E67AC284E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036985Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:01.184{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2999416EEB119CFBDBEC0030E2D743,SHA256=F6BE140E19E1115C578C72C8E0D80FF4D6E938D97738B14AD8D2E43050A22EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:21:59.083{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50143-false10.0.1.12-8000- 23542300x800000000000000053891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:01.141{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9338E49BC19CE67CC96BD307A9F0C5A,SHA256=B0C65EB2345B1DF9A9FCE3CB628978BAD3FD1ED06315ED372685C89A272AA73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:02.159{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0092DCFA5AD88D6622E291BF1F15E65E,SHA256=9618AC4FAAF7226317E97757202E7F8FF0E6346C48F8612BD245BC2CC0CD1909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036986Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:02.278{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18A46C0F4DB0350748D9EC295C037F0,SHA256=16C115AF26F97C46B4C16B28117F96A6CF67D6D685FED6579514F3A1308DECB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:03.173{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884DD5F063148EF1825B968462F891F7,SHA256=EF6D6198954D51AA31C85C4EDCE659B6C0513D01C1A416EDD4EB738BC6281F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036988Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:01.510{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51652-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036987Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:03.278{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7538BD9CE940577E94257E0B64B9EFEB,SHA256=5DC0EE00855D7543C3C5145C5EEF98B6327646E7AF38551C559107F948460E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:03.032{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=633058A67F143D74C3CD0D40ED1455E9,SHA256=737F22BACF8E2A5A1327E697D561BF4C3BC4962FBF1CFF9DF8E38EE818A83398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:04.188{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D6D120F9B749887004D713FD522F35,SHA256=98C82DF61C013A7E2397B566E86078778C3954965A860D5FDAD4071EED33D7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036989Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:04.388{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9367822CD52513B6DBE8A7515FC3F3,SHA256=FC2CDE467B55BF71D02E977F487BC1D54047D55641669BE375B18A2EB3CD4CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036990Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:05.403{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7640D83EB9066F4DAB3B7185D808D116,SHA256=3D212F8EA6E2AAC2DBB73E37E658B7698D71862A28E5E0483B25DAA5878D8F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-830D-616D-9A0A-000000000402}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-830D-616D-9A0A-000000000402}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.985{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-830D-616D-9A0A-000000000402}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.986{8D4DD44E-830D-616D-9A0A-000000000402}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:05.204{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AF95C107BDA3677785330C5BEC0EC1,SHA256=A8887EED047604C26688E26C6B5311A5E0F109A19DA7235024B8EC0EE96AD617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036991Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:06.419{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE62869F89CAB5D3D8B4E02DF208B326,SHA256=A5C76CAA80335A651243CC633AB5F4C89E409AA35BD6C92A1E56A970162AFE48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-830E-616D-9B0A-000000000402}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-830E-616D-9B0A-000000000402}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.876{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-830E-616D-9B0A-000000000402}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.877{8D4DD44E-830E-616D-9B0A-000000000402}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000053908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:04.911{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50144-false10.0.1.12-8000- 10341000x800000000000000053907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.360{8D4DD44E-830D-616D-9A0A-000000000402}52965892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:06.205{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425F1FA854332A840808A2D4889624C0,SHA256=C05D1978854BC7F5602985CA35E634AD986C8BF733FFCFAC58F31B7E25B446FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-830F-616D-9C0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-830F-616D-9C0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.376{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-830F-616D-9C0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.377{8D4DD44E-830F-616D-9C0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.219{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155804A2AF7FA0E8870F980A55B3EE97,SHA256=EF8BF73E05580C99EDB6761C5381EF534CB03F433980BADF70700969E3400781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036992Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:07.434{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB58AD8916CB5CFD2FC0C450F55780E,SHA256=363768325EC6DFCFD5FE7D829795134F3EEC8487F9FCE76239F2D0F934779488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.001{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55B69C214C97868E3BC041ECA8C73B91,SHA256=BF8692FACA9AE8F8D20585451FCE81E5B1B5AFDF8A403DE36F07AC6B75E24174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:07.001{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C6C7826E58F51803413D0E803BDE8D8,SHA256=4FFF9C766A94361E66B7C368ECCBBC0A2BC1F0821B90FA87FEA8F89CA38CE580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.787{8D4DD44E-8310-616D-9E0A-000000000402}55485524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.673{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8310-616D-9E0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8310-616D-9E0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.610{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8310-616D-9E0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.612{8D4DD44E-8310-616D-9E0A-000000000402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.391{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55B69C214C97868E3BC041ECA8C73B91,SHA256=BF8692FACA9AE8F8D20585451FCE81E5B1B5AFDF8A403DE36F07AC6B75E24174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.251{8D4DD44E-8310-616D-9D0A-000000000402}51327120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.220{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F066A05B6F7FB36B9897BF92E0325A,SHA256=5E794CB96D9E8CC20264AA9577F32E42F647CFBF2FF7654C203B9EB499D6669E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036993Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:08.450{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A539C36D79BE0A62E2F8ACA4CCA3A92,SHA256=50068D39C24D94EC26B77E7CDF5897704A071E9B07399A0A33EE454A7E121E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8310-616D-9D0A-000000000402}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8310-616D-9D0A-000000000402}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8310-616D-9D0A-000000000402}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.048{8D4DD44E-8310-616D-9D0A-000000000402}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036996Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:06.525{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036995Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:09.452{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41656A5A2B00A3628DB68E5DEF49490C,SHA256=959359BEF68C326E0D62CAA498D6DE348FBE3DC366A68DEAF83C00D650202ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.615{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33D4690A8911504C12AD5808EC88774F,SHA256=A4B51859C5E0698187CE7A57CE1F95EAC13301F94E60665AD8ACF7B7CA9B8513,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.459{8D4DD44E-8311-616D-9F0A-000000000402}51485308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8311-616D-9F0A-000000000402}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8311-616D-9F0A-000000000402}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8311-616D-9F0A-000000000402}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.287{8D4DD44E-8311-616D-9F0A-000000000402}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:09.224{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080195AEE0F6665C4B30570A12B5FABC,SHA256=F397CC79F2527D1034D6B28104797E31B76D41BD6C516BD0D275BD23BCD61975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036994Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:09.437{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036998Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:08.903{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51654-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036997Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:10.468{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86A196BAD0AE15C721826283D319963,SHA256=E1A86025A7F98746936E8B81D1EEB29CC5E40F778FC144389E5DF2F7752DC2EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:08.506{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50145-false10.0.1.12-8089- 23542300x800000000000000053960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:10.240{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7C6BC74100AB5B62963E4FABB9EB45,SHA256=640836B48815C6AFE300C5B33D23EC1AA7EB8F6F35F0850E040E602C5A5274D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8313-616D-A00A-000000000402}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8313-616D-A00A-000000000402}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.787{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8313-616D-A00A-000000000402}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.788{8D4DD44E-8313-616D-A00A-000000000402}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000053963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:10.041{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50146-false10.0.1.12-8000- 23542300x800000000000000053962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:11.255{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0425380A3626380078739EF392DA5326,SHA256=32EEC026E9BEF70CF1594624C275ED3A5F232D316A404CA4D8B06587771DF3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036999Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:11.484{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF128440D7C0E8C65D5E65B24C158A1,SHA256=7593FF1986021445E7F4746369AC1D46E999CCF88244C6C5EBB1934B7A4C30FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037000Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:12.499{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F6C76B0FC45EB8C1BF4083A75ED154,SHA256=297D036562D20D6021A82F2E7A7B4787CED01C4400D51453B8B7508556334BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:12.818{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC0A0F1B653882A5B3CD6CBF131BF93,SHA256=395CD2E0AFF7E7936EBC33DE97D390E3EC3B3A680B5AE5FAEBA7FDEED9341326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:12.271{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6062DC227C30298B3F41DA5E8A7ABAF5,SHA256=1EF383C24BB6BB6F5B9E8FF1B11B4E33B3EAABF0A936E44547D684CE5BE63176,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000053981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000053980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a1000) 13241300x800000000000000053979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c423-0x28938f26) 13241300x800000000000000053978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42b-0x8a57f726) 13241300x800000000000000053977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0xec1c5f26) 13241300x800000000000000053976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000053975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a1000) 13241300x800000000000000053974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c423-0x28938f26) 13241300x800000000000000053973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42b-0x8a57f726) 13241300x800000000000000053972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:12.084{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0xec1c5f26) 23542300x800000000000000037001Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:13.515{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FD39C84451AE5E50E7B6A289374299,SHA256=03010A8909E3C17D3F768A682A0E994EA2B50722F82C3FE819C9521D3F375762,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:12.226{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.20-11156-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x800000000000000053984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:13.271{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F4E03AC60188EAF74D19313B8C3C5F,SHA256=5DD530A1C83BE24065D7B657282F2B80955B48DEFEDB8A9A8090337E51A2FA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.881{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2958232BD4DB60F78E34F5178A4E520,SHA256=2503625A3FBCCFC2DC7256CB0CF682B208CFACDEFF9D8C0E4A4C09307F716FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.630{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23FB70C032F2DF24ED14957F35A4009,SHA256=2BF12BC7C913F255F0AB6AD2BBD811904302D236BB3E7C72E42DDCA71CCEB5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037002Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:14.530{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC479509DF88975A50FF1E98C603B22E,SHA256=1786CB4BA75E644741C3B853CCD91A8219ED80F0C310BBDF8B496284153CFD6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:14.271{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:13.447{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local55280- 23542300x800000000000000054018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:15.724{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDE0B51BD859DF5971ACA63463240F1,SHA256=97F32F029B182AFDFBE5B96502BE69C102B0222C4D1C81C7597CEEB892187770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037004Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:15.546{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024932C4C51925EEDEBFB2DE5743ACEA,SHA256=1C375F4DE50D4E2AD3B9C0A795C002B27F902F35E32EF0E03172BBD3EC16494B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037003Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:12.543{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000054021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:13.524{8D4DD44E-5BA9-616D-0F00-000000000402}308C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.20-11722-false10.0.1.14win-dc-185.attackrange.local3389ms-wbt-server 23542300x800000000000000054020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:16.740{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3686A71FF1D6EDCDD0642A2D1EDC50F6,SHA256=2923608C381357AB7AD713D861947464C276DC7EB9C4960DF47F577E98CD6ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037005Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:16.562{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80D7AC313D736346838A74C88AD0AD6,SHA256=8C761BE1E454C6C9BF7285815EA1DA3E4B89D059D307C32CC5AB2B853641F1D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:15.962{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50147-false10.0.1.12-8000- 23542300x800000000000000054022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:17.755{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EC1D8173B38DC5F666A22744F59982,SHA256=D0309022EA85DA97FE4DA6811A745A259F786A20266D2E5D2657CF276A7A47D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037006Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:17.577{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC7AC1E8ED684DE4BAABA7357D48969,SHA256=490442AB911980EB5D29A4E1059920198EFD0C3629EF4C11B75C364DE196C30C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:18.834{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7C47CE8DFF86A2C1C8780C87874FED,SHA256=D84554038BE2810BC146600F26BCA32F7FC6A308DB623F8A786A87C6D076D267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037007Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:18.593{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F29864428F1B764E2F9F12301DA129,SHA256=412A38404C06784D171EDCAC32569953A48BF9E56EAAF056A369A28712899DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:19.849{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E525D0123B3B7648EC30D92F5FCB842,SHA256=8EC529F61CF208207207C02A531DF4CA80CAAE46330A48B342B3B124CC1352D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037008Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:19.608{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DD6D534216605BE1AFE29F1E97F0B3,SHA256=4E01CE896B994EA5DF6E2B3D4ADE66936734F34E68870C1B908DBF0456837588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:20.880{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80B3585A3830ADB2BA2F0B4B1A43D34,SHA256=B1BA24C5F9D2D57B10E03348085715621F07872346BFCAD0E5C7A825E945725D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037010Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:20.624{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E266DC53AE22840BAFC0FC7C2F4C0E1,SHA256=D2D9B767C7D568169AC564933FC1896EC74CC1731570ED44D9BF7FA29B765CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037009Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:17.605{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51656-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:21.899{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9669B51606608BD3A201BAB14D010265,SHA256=C9CE746902C5D91C1C3D4754F1E1DD9C6DC19B1F2A3D5BC788E59661FA9CEFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037011Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:21.640{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C1A0449D945CDEF07F1B73CF920A9B,SHA256=8A21C3A2557F94358C0867A0BC4453CB6A5DF0610A6F4FEA1DAC8CE9D3F68553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037012Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:22.655{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FCDDBDCD93E857025212B0DF247CAF,SHA256=A6466E38E0FE522B7B879DEC5885417F8EBEF367655818D84B8597ECD4DD6F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037013Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:23.671{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48904A9E5C011E6B574A4927C476C9E,SHA256=DDB6A6FB2B9987B2C890A77603A48DCBA058DBA503B0F512D6DB8F1DBBEB7DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:23.131{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C72632DC3FA9EC17A06D718F42537F,SHA256=119952B9D1B3E1F901983218B4A40A881B9C3503EEB0F0CA7A672679A289BE68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:21.123{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50148-false10.0.1.12-8000- 23542300x800000000000000037014Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:24.687{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEBDDB722D1DCA77DB5DA7F6418A2F3,SHA256=B542F11B8696098534D1A93A0E9CF705AC6D7DE24AD58F8D325C476BE4269D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:24.146{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E370F35FA2CA284A27D55E82808F45,SHA256=1F972688F76631FE1CCB2C199970BCA0A4EEF4B8F7E5B62F0978264B9410DC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037016Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:25.702{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5F2B69486ED9C668B00C7501C2E63A,SHA256=EDC3491D92E535F6B3E4193DBCCC4EAA30862C904EB34DA781AA8FF71A5BBC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:25.177{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA551243DCFD2EAF487521187E8095A,SHA256=1FE269D5A99201AB6D1D72CA522032B3C056471DE5602D940DD925328144BC1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037015Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:22.715{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037017Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:26.718{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D1308B80B47A40613FA59716458657,SHA256=DB7C409B118B5C6960F4043C0BBE7DBE2F4E3A1C77A31DA9F190F4B951A8DF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:26.255{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085B20913E062C16DB998490C26D0FB7,SHA256=9E1E78C8CB4DC98B6F120CF9790AA8BB1FEF8A7042352CD6C7305BD25414F855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037018Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:27.733{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888D4AC757C9B5112A59F230567B67DB,SHA256=B09C7E40E85E1C1DD4F66F1347C662B7ECD1726986675E0D2DF3C7D34E49A53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:27.271{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88675FEA4F87F101B53BE88B23FF9DDA,SHA256=22C8E4FBAD8BE12B0393CEBFF6CAA62F86C26141488457E402E4F4B6EF48D20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037019Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:28.749{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575E3CC29DDCD95B54858E7A8F58AC92,SHA256=0322FCC82B0BAB32991CDAEA0BCF43FB3358813EC3ECE661F26B0BEAD33BC5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:28.459{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13148DC033C26049AC68FE819E3FDD0D,SHA256=16A582C7E5D2C3FC4D33974EDFFF627B324CA1A2B2080DD4FD432F828C22D71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037020Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:29.753{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17081EFE99EF55AFC0FA38C7CD67E026,SHA256=BCBDEC6158CDFBFE18BFF3D2032671962FFA4E05AF299CF7F128E3DC49BB23E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:29.841{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-163MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:29.464{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B5DB6864D2B34AB2BBD5014695C0C3,SHA256=F73861C3E50039569ACF4F0C3F35ABFAE53746159A88D8DD6307287B1E0BB2A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:27.041{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50149-false10.0.1.12-8000- 23542300x800000000000000037035Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.753{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0D4DFD5798868F5432387E4CC28B65,SHA256=C5AA857A350BFA4E8C1A8DC43EFC3D22AAC44CCDAE7197D066948A2D4033143A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:30.854{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:30.478{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5AE7F51A3FB2895B3F6EC9D61BBB147,SHA256=67780E70E26FA78CB20636686DBB75E64B9CAFD31F85CCAF39427CEEA4DB5B0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037034Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8326-616D-0208-000000000502}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037033Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037032Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037031Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037030Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037029Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037028Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037027Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037026Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037025Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037024Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8326-616D-0208-000000000502}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037023Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.722{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8326-616D-0208-000000000502}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037022Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:30.723{6F8252D3-8326-616D-0208-000000000502}2124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037021Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:27.746{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000037065Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8327-616D-0408-000000000502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037064Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037063Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037062Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037061Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037060Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037059Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037058Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037057Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037056Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037055Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8327-616D-0408-000000000502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037054Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8327-616D-0408-000000000502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037053Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.894{6F8252D3-8327-616D-0408-000000000502}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037052Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2558F94E32DBE6A654463B701B6E3F,SHA256=237BD4432E1589FD6104D1990A2EDDAC73E795FF1BBFA3EF3CB4C37C8AF5A60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037051Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755072AEBB27905551B2478CC5A0976F,SHA256=4C73FE6DF7AA629338AD47F7FBB43C1001ED556ED9D6DCB6C0A51FF629031932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037050Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B07CF67E1BD4B2D0DB791786C3C7B47,SHA256=D9702D72B4C2DE91209B85512179423A574128F8F8A8355E4564DB1B9621D3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:31.480{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976E5CA0248AECBB4C85096CCDFD0F7F,SHA256=CC4615D913E9C272EFDD5F5E362668FA46A2EF379E9448C2A64BE941E6440DD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037049Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8327-616D-0308-000000000502}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037048Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037047Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037046Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037045Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037044Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037043Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037042Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037041Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037040Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037039Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8327-616D-0308-000000000502}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037038Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.222{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8327-616D-0308-000000000502}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037037Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.223{6F8252D3-8327-616D-0308-000000000502}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037036Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:31.003{6F8252D3-8326-616D-0208-000000000502}21243248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037066Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:32.784{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE83E2BAA099C4658E85088D592DE2F,SHA256=6ECECE243C911F99A693D96A009835F88A9AF6E78FBA4D8A61801D01DFADB8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:32.496{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9CE6E2500FFA079EDE971907303A61,SHA256=05942405B3F36B7D12678445BA92C5CFE969B80ECAE6E6258862223E3AA21E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:33.542{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F634BFED20B65B1208EFB6CE1E28994,SHA256=3B85EAACE47B5362CCD20A02A0C193C72143709252711BFC68B6878D76C3B8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:33.542{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158DF2AC98097107D5CB131A217CE8AA,SHA256=D0F09621105C3CD305C00F9CE7B6F69FE36087B466E69A74D4C1559571BA00F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:33.511{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2998CEC7C898574DA264CBA7D8204B,SHA256=96609C221AD9EBF94FDB1AB8D8A74C2673704AD3C55CC45218561FB4F70776A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.800{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49EC8B53308A8C16071E18AE34942B7,SHA256=581D889F94536A27A627E45BDC24496F0F769FD2A5A35B15441888BCD5AD9173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.378{6F8252D3-8329-616D-0508-000000000502}2316644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8329-616D-0508-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8329-616D-0508-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.175{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8329-616D-0508-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037068Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.176{6F8252D3-8329-616D-0508-000000000502}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037067Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.050{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755072AEBB27905551B2478CC5A0976F,SHA256=4C73FE6DF7AA629338AD47F7FBB43C1001ED556ED9D6DCB6C0A51FF629031932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-832A-616D-0708-000000000502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-832A-616D-0708-000000000502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.941{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-832A-616D-0708-000000000502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.942{6F8252D3-832A-616D-0708-000000000502}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.816{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D062CB5B77879225FDB171A89D2DD6,SHA256=646E4C4F2B588A5BE22014416C412D7C50485B2DD23F0D296CCB14A23D2579B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:34.527{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D44BB334BBC07E7F07A71B40984C8B,SHA256=2AB5F3AC5D81AEBEE4B03DF591CAAFE803A45AF68CCA4836A623DCBDDC2BC013,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:32.375{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50150-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000054045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:32.374{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50150-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000037096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-832A-616D-0608-000000000502}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-832A-616D-0608-000000000502}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.316{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-832A-616D-0608-000000000502}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.317{6F8252D3-832A-616D-0608-000000000502}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:34.206{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B2748CD2AC747FBF11CAF371160D5F,SHA256=797E5808228C057CE2A762160AB73FD75DCC541A0643109AAF431FB9902117AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.972{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAA68A0F11417441169F12386DF58C0,SHA256=FFB82145E74A7DC397C2C8557726FE2272F55ACD3FEC4AACA1CBF302A0FE273B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:33.626{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:35.542{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78B05F9052D051122B7B7F3B7D0B3D,SHA256=FC4A771C675CB5E26504325473911CA4670C094F431225872FF1A7336BF0DCB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.738{6F8252D3-832B-616D-0808-000000000502}25723164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-832B-616D-0808-000000000502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-832B-616D-0808-000000000502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.597{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-832B-616D-0808-000000000502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.598{6F8252D3-832B-616D-0808-000000000502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.425{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F015323C25BA44EB8251FA78CE00865C,SHA256=D4741ECEEACF472A85ED665031F3DA669A1DC1DD3CC407D2021EA5BF0F9339B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:35.128{6F8252D3-832A-616D-0708-000000000502}26122416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:32.953{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50151-false10.0.1.12-8000- 23542300x800000000000000037130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:36.925{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBD849563910C15CC77FCB58822D4F2,SHA256=A6FE81D0EF34700FDE5B16BBD0DB3BD78DD1F0616D72B5BD6B85416D489D829A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:36.558{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2097C5C712270D9F5D10252360A235,SHA256=E38BC5AD719F328FD73F20B50E5322E05F9D1562568448BFA5583D258D2DB0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:36.816{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAADF7C4B308E24AC46EAE4AE3BBB83D,SHA256=72E337C54793CC70344859BA6226271E1DB73AE9848EB489580A8F84B81B4CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:37.941{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6E8480CEB740B3E563FB2F2087FD6D,SHA256=3EA1D39C1FA40D03316D1AB5E695D62F0BCB4D361B406C47046FFD7432E53168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:37.589{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D99C0C74B66EE8373272B8ED947043B,SHA256=7E1729D428D036B983096B6EAE3A714568A5802FC06D515A3EBEE1CEF930F1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:38.972{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBDE79F44FFA39B2B3A3FD690517323,SHA256=E393CB8F00132178CA46E5F14BD4BF8B16896ACAF32488AE3B6E119BEF08D7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:38.636{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A00B1FB6B6BE715F6F02F749D7A610,SHA256=F60CBD75C5DABAA9F7833ABAC1B21B041EA0CFE8C73220AF4E0AEE477F2C0EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:39.652{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184B06506808684EF759DFEC29795D37,SHA256=8F760BE2BADA9D6BCDAEAE4509CC5AEBDA7D4A3ED20AA46832E573A4DB69BB0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054055Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:40.714{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AAF0F43AD377F3EA7B823E225B968E,SHA256=211453B7795040000F1A29F190C2BCA92F9F90D40436558A8E5ABE782C852E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:40.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BEE3E2875962FDF194B2F3B177FEB6,SHA256=5F9D38EDD3167EE758137A894A91A093042E95A64838159B48609D91E931F914,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054054Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:38.968{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50152-false10.0.1.12-8000- 23542300x800000000000000054056Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:41.730{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C73A37561004658ECA4FD391C388DE,SHA256=2FDF21AB1270F5EEEAEB9F2D75C5A17C02B7B346006D2ED7DDE6929D08BAD840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:41.034{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C2BEDF7307C6A35451856132413C6,SHA256=5BAD037DC76450F992D9FA7AF4BA87DF416B738FC103BFCFD48DFACF5D0946AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054057Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:42.730{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4924A6B24D632D4A7E7D01D406E8D04,SHA256=E858012922E515FA1ADEB6479A5F9AE1CDD07AFE0923A71FAFE0F5EBDB57131B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:42.066{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF22E82E6B6C44F4678716F59113A8F,SHA256=1CD0AEBF649128B77D6D8A25DD2C811958BB8B5CB99068447CA7A73E7F944106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054058Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:43.746{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124A2CD1B0977575E4BF96A4D28E61BB,SHA256=0CC18FEF9A24ECE538E066BF7B4D92CAD0CEC24F341CFA94119AFF08E971E772,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:39.547{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:43.081{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180D89F7C4DAE78C8DFC2F7436C08B4B,SHA256=8D1B59A44A3ED7B92D1860EE847CABC4115CDB1CD83E8AA48B1A80309B234B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054059Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:44.761{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB04AF3489B6158D324897B5721A83A,SHA256=D05751DAE46B08B4DF46291C5636E6E42368C4B99BB1B51DE92D047CA9341A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:44.097{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347666B48B5ED68C1EE5E20E618CDF44,SHA256=18B7E57093F933FB480E2C94C683E3E9A148DDFB39B60180A3C5084794F8E310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054064Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:45.777{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA4A4AC98D366F36574E721AC6A645B,SHA256=E548D52D3905410FA801B58C6C1974F3D1EF848A79E432E4F9979A7121BCF666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:45.113{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7363B6902D0E0DEEC097542D6D3D4520,SHA256=F2739ED96B26FB144D7A6A07A95FC3EA8906B9D6DF992FD9F24C46A76A325599,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054063Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:44.000{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50153-false10.0.1.12-8000- 10341000x800000000000000054062Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:45.402{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054061Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:45.402{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054060Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:45.402{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054066Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:46.886{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA8-616D-0C00-000000000402}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054065Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:46.792{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD663B708D6DAFECB6184F419558A4D,SHA256=8FE8B3101F4F58464D3B660E216B6F8AAD3BC1B0F68CF0257B6A4F0B33455341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:46.175{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3742B38CB9F4AFCDDADCE7A6510FF5C6,SHA256=F82492797C0F5C006311D41600F076948C948F1D12AB001C102694A453C727EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054067Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:47.824{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AAEA91D305F585EF7657061A491F65,SHA256=E1597D377043AFA6A9A364D1E2B3B3217843701E15BD10EA33C529A5E229DA90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:44.734{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:47.222{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F536FA7BEB586B50EFCD032D06F3282,SHA256=B602791EB3C4B969D3A2AAA9B0DE54929FB71309BD0FB4C6C9D90B7D0F5449A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054068Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:48.838{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A621D58E3EBFAE6E97B19E3ADA98BCFC,SHA256=9B810971BF16C1B5BC492B6DB4E8A0A173C5C49339FDD1FD1BC4F8E22A6B2592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:48.284{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB13FB07178B96D51FAB89A7DF916380,SHA256=249A18CAFE4BB9983531582B3332B91AC36926D262097ADD2292F8E151D81622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054072Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:49.869{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB24D3B5EC4AB54FC8BAB7C53F5B40E6,SHA256=879DB8A42FBDF8A6223C5842973F36259658CF3071E38C029A55CE2D062CEE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:49.300{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2E2CA7B6B44FD15A505881BE7066AC,SHA256=66C2F162B0DD6041D217EB666E0E8F3851A7B90D08A9E8154A131295D714C9C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054071Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:49.588{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054070Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:49.588{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054069Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:49.588{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-822D-616D-840A-000000000402}6104C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054080Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.884{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CB369AF1BEF3CFF9A15F0955A0D38B,SHA256=6FAAD7C67F607C4AEE6665992F0D71820945BEC8C28C5AE787ADC02538F47EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:50.316{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225ECC00E292B9E81203FBAE372D828F,SHA256=8C870BB4BABECDEFC6DF0C7058B8BDB292ECFF4C83A128FF69CDAF2CAB7B7C25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054079Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.776{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054078Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.776{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054077Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.776{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054076Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.759{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054075Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.759{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054074Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.759{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054073Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:50.759{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054082Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:51.900{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91792C401AAB1963DA4A2D8E3D5AA788,SHA256=3862013D0E908FAF189D3C822145846CCF635A99DAF1AA28BDF72A64B8AAEE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:51.508{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-155MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:51.318{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675F536EA090E837100296F3570389DF,SHA256=B8418F48F27FD36FE6BC216E1519B480B3B67E6F046DBA4C64B792AEE292437B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054081Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:49.013{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50154-false10.0.1.12-8000- 23542300x800000000000000054083Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:52.900{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AD2D6A71A37ED4FB841B61A55C363E,SHA256=2376F141431B211DDDC4209A5E52BE913BEC0BECBC8467D2C6B64AA2E395B1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:52.513{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-156MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:52.325{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B19F18D890477DC73E5D8E44C849404,SHA256=284D2C430C1290E9FFE6B8D52D5EB0E485806A5850BEF69F5A63D9C5E61A20E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:52.247{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C7AFDE0D1A6CC5E50CD17673109DD1BF,SHA256=5B465564F13A07AC069099E958E57BE1D99AD2E4EBF1C1BFCC58CD41A2C05BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054084Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:53.916{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D609D8A5A36CEC2D3EF77C156903D6,SHA256=8A497A2E6A4EB9C5DC897BBBABD169C608E47777E53EEFEA0D6701C8A528FED2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:50.502{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:53.340{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CD8626EAADDDDE237E71F7E07C9FAB,SHA256=DC9F97FFE70D6EBEEE1ADD6742B05C1B5B37B936A5AF6B9B151D0C90CD78D1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054092Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.916{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAD8642771728754B9BC3312089B057,SHA256=79E2C9C98B5B59CF6F88FEE17F33BF0A61D2933CCBF1A1C490C25916C252E074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:54.358{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9AE5FA6B08D0E7C4D47235894309E6,SHA256=CE1111C597A6AD7DD0EA0A76CA30E8E745CF1120FD26DECB2E72455A6F5AAD42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054091Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054090Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054089Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054088Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054087Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054086Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054085Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.259{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054101Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-80C1-616D-3A0A-000000000402}3684580C:\Windows\system32\conhost.exe{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054100Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054099Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054098Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054097Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054096Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054095Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-80C1-616D-390A-000000000402}19645724C:\Windows\system32\cmd.exe{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054094Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.942{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000054093Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:55.931{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC499DEDAC21E02413895B96EAB97B,SHA256=0F3BCA73B43A34203E9F2474DB88145E606C5FFF2BF027C4C06305A618C7F2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:55.404{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEFB2B4651FFF2D3FEE754D1B1CE1D5,SHA256=3C97AD4668D791817011353548F878A050C9281314D91F44A881FF2CDA93550F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054119Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:56.947{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F5082ED963AE248B888CF5BEB5E584,SHA256=8B85E3FCCC4F99FD60F308C8542E2A140314B1A3192ADB07B21CFAE8D8E7448C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054118Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:56.947{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3294AD82595369FBB58F31AE7E23FDCE,SHA256=84A157F931647FE694B23E12156002C3EE7542C80AE4050654F6F000D856C5DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054117Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:56.947{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F634BFED20B65B1208EFB6CE1E28994,SHA256=3B85EAACE47B5362CCD20A02A0C193C72143709252711BFC68B6878D76C3B8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:56.436{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DFFDC9DBB1CB15EA0A7292FE4192A0,SHA256=B4E511E6BC0B25AC62486DC9EDEB8982C1425A533B1C79B2CB544B2ED7F9F59C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054116Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:54.951{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50155-false10.0.1.12-8000- 13241300x800000000000000054115Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.072{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=1EDFE32EB59F538F7FB1ED9CF02416EEA5799CE5F23A3D5D3E3DCF5A31C74016 13241300x800000000000000054114Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.072{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000054113Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.056{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 16341600x800000000000000054112Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local2021-10-18 14:22:56.072C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=1EDFE32EB59F538F7FB1ED9CF02416EEA5799CE5F23A3D5D3E3DCF5A31C74016 13241300x800000000000000054111Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.056{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000054110Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.056{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000054109Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.056{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000054108Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:22:56.056{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000054107Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:22:56.056{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 2553225500x800000000000000054106Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local2021-10-18 14:22:56.056ConfigMonitorThreadFailed to send message to the driver to update configuration - Last error: The system cannot find the file specified. 12241200x800000000000000054105Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:22:56.041{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000054104Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:22:56.041{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000054103Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:22:56.041{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000054102Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:22:56.041{8D4DD44E-833F-616D-A10A-000000000402}3884C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 23542300x800000000000000054120Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:57.978{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333137C06D95B133B9D28DF0A3F753DE,SHA256=11DCC661A83CDD7E8006604D3DCACB535D9945C3D214F6078C119027C87C4DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:55.682{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:57.451{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40B8ABA690192752DBBF00730723F4D,SHA256=DD9CB1FBC55696BBEC015CAA6141F93F55F4437D39BBBAB8420F4F48420700B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054121Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:58.978{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1BCA5A0C81B53D168E088854A52DDE,SHA256=C6FE78DE912CA887BD4A845FB8136C830FB8E9471E8C2582811A84632BD98D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:58.467{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D429FC8AE8483E30185A943BCD5F1753,SHA256=47301BD035DAFB04C599AAE06D45AD8F36C08E28939CBCF54B1174111B24ACA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054122Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:59.978{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE112503AC2B3B7C309893EFA7D78885,SHA256=72C3F9332F5F6021BF1CB5C66B278A524B14296CBDC096C4064464097718B303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:22:59.514{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42B1C36E862C32EDE3F7C17A5F09263,SHA256=ADD130DFAE3288855503B594C50F86EB8D5C5EC725F2168A7C490A8599D60883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054123Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:00.994{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C76D849773C8C063F161A4A6F7F75EE,SHA256=3F7AB8E796BBB4F4ED7E62B67B78742C08D14FF5C0DEF5D694EEA2E26B813393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:00.545{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91D004602EDF8DC9160E04F069F556E,SHA256=6F87F0396946F1A3CBD2876637E43EE6F6814D9BFDAD54C99E4A72DEE13DE3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054125Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:01.994{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38AA4E21A250849E48E0688885892FD,SHA256=CB81C2D7D99A1186E5D84F508BBB8B8D3157D6B25DFF139FBC7CB4CA2C409988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:01.576{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C47A202B174BBF4C48512D94C96DBE0,SHA256=2D856939F63FA576631B5D6D39BCC3E8B51FDE8915FFEBCCC394DBB17FAAFEC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054124Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:22:59.966{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50156-false10.0.1.12-8000- 23542300x800000000000000037162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:02.623{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B85DFA2B9F77FD2BBE28EB638637FE8,SHA256=0B35771B0D9364D7D67A1D04D38E751E7B6E2FD88F1322FBEC217CC93F11071C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:03.639{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB90CC9E0EB60B532D33F716D516665C,SHA256=A7DF137EC8196571CC9E28C5BBEC8980C5EE7F77F0F2476DDE4123FC3FC472F3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000054149Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=1EDFE32EB59F538F7FB1ED9CF02416EEA5799CE5F23A3D5D3E3DCF5A31C74016 13241300x800000000000000054148Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000054147Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local2021-10-18 14:23:03.150C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=1EDFE32EB59F538F7FB1ED9CF02416EEA5799CE5F23A3D5D3E3DCF5A31C74016 13241300x800000000000000054146Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000054145Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000054144Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000054143Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000054142Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000054141Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000054140Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000054139Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 2553225500x800000000000000054138Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local2021-10-18 14:23:03.150ConfigMonitorThreadFailed to send message to the driver to update configuration - Last error: The system cannot find the file specified. 12241200x800000000000000054137Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000054136Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-DeleteValue2021-10-18 14:23:03.150{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000054135Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-80C1-616D-3A0A-000000000402}3684580C:\Windows\system32\conhost.exe{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054134Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054133Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054132Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054131Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054130Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054129Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.088{8D4DD44E-80C1-616D-390A-000000000402}19645724C:\Windows\system32\cmd.exe{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054128Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.087{8D4DD44E-8347-616D-A20A-000000000402}3148C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000054127Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.041{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49C9D3304DA481FA592171769510D044,SHA256=47C376E4682C4C73C522744E3A4C3791DF8CEFD34905E11C87D4352F238B42A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054126Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:03.025{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B4B48A7A32BF8C4D43304E00CC7D20,SHA256=38AA8FFA8A94711881CED9EB49C146646867AED4427BFA5A7CD4525CE91781FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:04.701{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152530A1931C3FA39150A9EAD2B799B5,SHA256=27A9858C29615BEFE36DF40EFC028676B0E8CD77E9C15BBD56982F1DC804CD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054152Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:04.103{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42B372DC6B9CDEA83BC2722D8B3DFEC4,SHA256=283A7A9A7440D99F31A6EB4062D47F0E8A7162FAF419A237BADEED23E123F205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054151Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:04.103{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3294AD82595369FBB58F31AE7E23FDCE,SHA256=84A157F931647FE694B23E12156002C3EE7542C80AE4050654F6F000D856C5DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054150Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:04.041{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8160E452DC50E69F78B402A67A92E1BB,SHA256=C2496E4DF1B60AA417585B44EFDE73BE3CD0CA52F7A6E31B389A607299698AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:01.728{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:05.717{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38F69AFE3012E407C9503C06953EDA1,SHA256=EFF6C07C884FD12520F649F8FF6B805747A80A185196FD717EC3F7CBEF38F139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054168Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8349-616D-A30A-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054167Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054166Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054165Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054164Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054163Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-8349-616D-A30A-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054162Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.978{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8349-616D-A30A-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054161Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.979{8D4DD44E-8349-616D-A30A-000000000402}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054160Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054159Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054158Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48006744C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054157Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054156Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054155Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054154Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.150{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054153Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.056{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F01ECD597DA55CF4C27A13349352F6,SHA256=98C6C7F08B831B05887F7EBCF6A4FEFF56F72EFA14FF82995FDF25544F11673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:06.779{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC435D3333CE7E8B1D02BF8AE30720F3,SHA256=C4E98D43F5CD35EFC896BE32771D014362D3FBB2397079CC87105F008C029FCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054185Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-834A-616D-A50A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054184Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054183Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054182Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054181Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054180Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-834A-616D-A50A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054179Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.978{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-834A-616D-A50A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054178Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.979{8D4DD44E-834A-616D-A50A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054177Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-834A-616D-A40A-000000000402}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054176Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054175Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054174Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054173Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054172Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-834A-616D-A40A-000000000402}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054171Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.478{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-834A-616D-A40A-000000000402}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054170Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.479{8D4DD44E-834A-616D-A40A-000000000402}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054169Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.072{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7772F2CCBB010B8846114D03EE8625F1,SHA256=495D3D723DE91B8E0A195F86DA7F792F06B79E326F3CCA5C98886B1A0DB2853C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:07.795{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6065C7FA3D7F92456CFAAC5C4EDDAA6A,SHA256=42797DB38B40A519871FE63E8F7DD12724AC1167B3D47C37F761D2560B253AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054197Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.838{8D4DD44E-834B-616D-A60A-000000000402}69161060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054196Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-834B-616D-A60A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054195Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054194Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054193Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054192Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054191Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-834B-616D-A60A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054190Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.681{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-834B-616D-A60A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054189Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.682{8D4DD44E-834B-616D-A60A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054188Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.197{8D4DD44E-834A-616D-A50A-000000000402}47244412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054187Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:07.120{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEE6A07D60E2909A94274350E110779,SHA256=9BA284E9BD432EC478A8AFB2E980384F1DB3D825131EA8CA8F7D8F1CE4EFDB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054186Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:06.994{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42B372DC6B9CDEA83BC2722D8B3DFEC4,SHA256=283A7A9A7440D99F31A6EB4062D47F0E8A7162FAF419A237BADEED23E123F205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:08.801{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B6B8CF24C66EEFE89D2811291ED4A2,SHA256=C77F9DA09A9B843E794E060C537522463C8E713D40B15A28BF9BC83CDEA93D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054210Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.775{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38457483898BF5F4039CB00FE42139AB,SHA256=B1A887E0F121D4DC32F291616C0B9AC3BE266749199D39DB1C001F65C6D5E0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054209Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.697{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054208Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.541{8D4DD44E-834C-616D-A70A-000000000402}66726712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054207Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-834C-616D-A70A-000000000402}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054206Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054205Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054204Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054203Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054202Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-834C-616D-A70A-000000000402}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054201Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.353{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-834C-616D-A70A-000000000402}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054200Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.354{8D4DD44E-834C-616D-A70A-000000000402}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054199Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.134{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662E4BF7D2CFA94B1F37608019188FB9,SHA256=905E525A5335E35E7D0B87FAFD234B04DD561881DEFD97ECAA133A5116C09B99,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054198Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:05.935{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50157-false10.0.1.12-8000- 23542300x800000000000000037171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:09.863{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A68E636963F5438A5C4DF35FCF4693,SHA256=85A5CF36D3AC8561B76D95A455D398153EB73DFBC86019E0F882BBE4690BE6EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054220Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.198{8D4DD44E-834D-616D-A80A-000000000402}3446564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054219Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D95CCFD8128BFA95776C2649C1E432D,SHA256=195F993C9E5256C1DC268BAB26C0D1E7861CEA9C643DBC2FF378E0ACEC16985B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:09.457{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054218Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-834D-616D-A80A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054217Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054216Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054215Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054214Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054213Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-834D-616D-A80A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054212Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.026{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-834D-616D-A80A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054211Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:09.027{8D4DD44E-834D-616D-A80A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:10.895{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39438E7B812CE7DDF959724273E21913,SHA256=B51FC852AE77084CE8E7537FA867583560296E0BB60EEA9A4DF238D9CE2E347A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054223Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:10.167{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53BEBE89C53ABC7C81760993219CF14,SHA256=DC0B88C0997055241D44D91FDB692F400EC430865225936662C7D3219FFA081F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:08.123{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-470.attackrange.local138netbios-dgm 354300x800000000000000037173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:08.123{6F8252D3-5DB7-616D-0100-000000000502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-470.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 354300x800000000000000037172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:07.603{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51665-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000054222Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:08.529{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50158-false10.0.1.12-8089- 23542300x800000000000000054221Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:10.058{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B945BFE95B1DB74582570D7A0CAE803,SHA256=5C6FBC91725E00600CC8A27C0FD8FA5DD3CDEFC6721202D30FAF767096E0E2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:11.942{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30535470459C0AA2DD220A0246F6BF3,SHA256=699DEB7F00E8621845229E5D6D5CA263790003D39E1138A5DA0AC5D51B160B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054321Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-B30A-000000000402}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054320Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054319Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054318Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-B30A-000000000402}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054317Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054316Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054315Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-834F-616D-B30A-000000000402}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054314Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.686{8D4DD44E-834F-616D-B30A-000000000402}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054313Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.683{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DD763D06F11432804993265D4D4B07,SHA256=89F81D2E89A516E7DDF4310A78A1CFA607C8E9BB772DD4AA9FFEC091C6A8120A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054312Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.401{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-B20A-000000000402}5868C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054311Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.401{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054310Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.401{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054309Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.401{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054308Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.386{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054307Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.386{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-B20A-000000000402}5868C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054306Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.386{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-B20A-000000000402}5868C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054305Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.400{8D4DD44E-834F-616D-B20A-000000000402}5868C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000054304Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-B10A-000000000402}4200C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054303Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054302Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054301Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-B10A-000000000402}4200C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054300Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054299Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054298Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-B10A-000000000402}4200C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054297Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.370{8D4DD44E-834F-616D-B10A-000000000402}4200C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054296Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.354{8D4DD44E-834F-616D-B00A-000000000402}5824C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsentDWORD (0x00000000) 354300x800000000000000037176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:08.922{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000054295Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-B00A-000000000402}5824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054294Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054293Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054292Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054291Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054290Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-B00A-000000000402}5824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054289Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.323{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-B00A-000000000402}5824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054288Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.331{8D4DD44E-834F-616D-B00A-000000000402}5824C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054287Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.308{8D4DD44E-834F-616D-AF0A-000000000402}4512C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReportingDWORD (0x00000000) 10341000x800000000000000054286Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-AF0A-000000000402}4512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054285Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054284Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054283Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054282Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054281Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-AF0A-000000000402}4512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054280Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.308{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-AF0A-000000000402}4512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054279Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.313{8D4DD44E-834F-616D-AF0A-000000000402}4512C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054278Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.292{8D4DD44E-834F-616D-AE0A-000000000402}6348C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeenDWORD (0x00000001) 10341000x800000000000000054277Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-AE0A-000000000402}6348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054276Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054275Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054274Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054273Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054272Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-AE0A-000000000402}6348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054271Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.292{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-AE0A-000000000402}6348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054270Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.293{8D4DD44E-834F-616D-AE0A-000000000402}6348C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054269Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.276{8D4DD44E-834F-616D-AD0A-000000000402}6344C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotificationsDWORD (0x00000001) 10341000x800000000000000054268Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.276{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-AD0A-000000000402}6344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054267Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.276{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054266Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.261{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054265Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.261{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054264Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.261{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054263Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.261{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-AD0A-000000000402}6344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054262Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.261{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-AD0A-000000000402}6344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054261Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.274{8D4DD44E-834F-616D-AD0A-000000000402}6344C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054260Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.214{8D4DD44E-834F-616D-AC0A-000000000402}4320C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsentDWORD (0x00000000) 10341000x800000000000000054259Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.198{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-AC0A-000000000402}4320C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054258Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054257Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054256Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054255Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054254Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-AC0A-000000000402}4320C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054253Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-AC0A-000000000402}4320C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054252Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.195{8D4DD44E-834F-616D-AC0A-000000000402}4320C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054251Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.183{8D4DD44E-834F-616D-AB0A-000000000402}6492C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReportingDWORD (0x00000000) 23542300x800000000000000054250Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.183{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321285FA3715268905C5EEBFD2A08F8A,SHA256=0EA5F345221FF796B5032664597116F24AA1982475998E69690B2D5F79C7344F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054249Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.167{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-AB0A-000000000402}6492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054248Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.151{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054247Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.151{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054246Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.151{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054245Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.151{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054244Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.151{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-AB0A-000000000402}6492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054243Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.151{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-AB0A-000000000402}6492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054242Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.162{8D4DD44E-834F-616D-AB0A-000000000402}6492C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054241Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.136{8D4DD44E-834F-616D-AA0A-000000000402}6276C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeenDWORD (0x00000001) 10341000x800000000000000054240Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-AA0A-000000000402}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054239Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054238Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054237Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054236Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054235Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-AA0A-000000000402}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054234Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.120{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-AA0A-000000000402}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054233Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.130{8D4DD44E-834F-616D-AA0A-000000000402}6276C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054232Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:23:11.120{8D4DD44E-834F-616D-A90A-000000000402}6604C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotificationsDWORD (0x00000001) 10341000x800000000000000054231Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-834F-616D-A90A-000000000402}6604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054230Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054229Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054228Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054227Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054226Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-834F-616D-A90A-000000000402}6604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054225Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.104{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-834F-616D-A90A-000000000402}6604C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054224Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.114{8D4DD44E-834F-616D-A90A-000000000402}6604C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:12.973{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BB41FCA144182D765F46BC1CA97433,SHA256=8B032B9933A3F282A3DBB1241A3356BA14827207FF09C4420C6F99211C7AE173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054323Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:12.308{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9200955C0B29C7D086F28084CC5B6DA,SHA256=842547F0CBC477B264BAC1C92CF21D3A7830DAA1EDFDAA3BD8AEED7D1BDA9597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054322Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:12.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=809A3253799FB1F7DCCAC03762BFFB89,SHA256=8309852BAFAB94A00F147273B56E6689BA41A0B51310F81E259396B8D087BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054324Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:13.542{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066A6461F5377FF17827C2F2C2A496B7,SHA256=4319639B6CC9297CC8F87449CD9F78C8E6986CA3ED433D8A0D5A6516EF95BAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054326Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:14.573{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDE107470DD35C4AE4E735B6168400D,SHA256=2A3BD5630498F1102F13D560E52C56CB6B9D22193FCBF18F055B0B5E89D31459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:14.082{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA864717483D396E99443EBDA95672C,SHA256=3CFAFF5ABD7DDC1B32699D3510177C7ACD17E0AC837900AF3083A13EC06196B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054325Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:11.952{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50159-false10.0.1.12-8000- 23542300x800000000000000054327Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:15.573{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D87433CA72BEB27122E8283D4A41B1,SHA256=4FE850F4F4DBFD4D2E9DC10ED1E4FB90A4D62D96B22A442388D3A35180595623,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:13.578{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:15.098{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7120A00DD245D7E8F592DC62A6F5A587,SHA256=E8860AB7F5FE84A8B0B0929C5DBD9A3B34E1149B295153388B808E86B6CCB59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054328Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:16.620{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE858BCD4B55401AA6AC6DFF365ED7F,SHA256=A165518A6B68AC0DEF6EB6D1524AABB1F82247F29E5DADD153666D79F1ED129F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:16.145{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B0B7EC82B57936961AE523AFBCB59,SHA256=3178E367C96E1A88FC9D75A91DDAAEE065C2FADE341A785A04674398C1C6D320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054329Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:17.667{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126371419FF8F92C7992673A3D42AD5D,SHA256=8A92EF4AD57D9AF240F4EF02B8396BADEA264D2634560F92B341D22A68987B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:17.223{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6047E3257FB1BD6EBC1839B585336BD2,SHA256=D2CF1AF7BAED7ACA022F3BB4FFA45FC2CB1D0E011B48512016ADDA4C5FC341B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054331Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:18.698{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E6E0BB884F4513443410B5FDDFDA8D,SHA256=BFFA63C62C8406B00F160DDAADEDC688C82963DD65318CFA4DF097D31017BBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:18.301{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D94F421B0877B13D43B0690D0DEBD,SHA256=F91645CD59BD486A7FF9F5BA53224D21B07ED249764D232BD64B4D178F1C33DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054330Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:17.046{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50160-false10.0.1.12-8000- 23542300x800000000000000054332Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:19.714{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA486C57A2D3332262BF46625FB83E6,SHA256=2054154085D481DA809A9DC6ED11A17C65D9184FDF0CF92A52EFA0B22D63BD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:19.363{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87BAA3D01D114B6C0C7EAFAD4C51B59,SHA256=A772895C367792805B43AA75A1918F5893ABBB2D50CC5B0E83C80668D6F0A798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054333Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:20.792{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC7CEB239786B93A18853D0FBB5AA8A,SHA256=A50DEF97DBB11DCADCAA1F633E68782307E7FADA6BE2719595E91F27CCC6714B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:18.578{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51668-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:20.379{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6ABFD9A24307EB384DA20A89A301F5,SHA256=8305D959485B08CB643DE96186006E36587CEB592606E48241BCB25E68EA0AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054334Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:21.823{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEA29158D6A2DD893965B14547B2C78,SHA256=06FD52D400EA950EABDE750CF75ABC32C4EE37A30D10607131F1AEC3D26B65AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:21.410{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB37991858BD8C8CBB0E9414BBA05F51,SHA256=A3D2197D740CF9C4080B06E59FDDF010DE009C9C11704A2862CA400D50D585A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054335Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:22.886{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7345200C585D18A606BA30ACC7E328E,SHA256=D9CD7E23A74C93E833B67EA18E1D4DCF1E0A8B76676DCED0D4A1646899C69200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:22.426{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D34361E58BD34C88B2315FBED2B7956,SHA256=31F421AF2CA03CA8D13A642EE0FB9F48099AB86301973FF79B6C4DBA1B711EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054337Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:23.901{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8EBB625656C5FD2D5F7AED2A554A00,SHA256=B42261853CF8B33A0E663271E6CB65D89218B74FCE5DDDE62962D3F2C1EB1A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:23.442{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231C66300B6F00178C1843A2AAE7B9A4,SHA256=10E879F8777B3D8BB447F1BBC82DEF216A3E347C32398CCE73DA2A962BA0B80A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054336Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:22.077{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50161-false10.0.1.12-8000- 23542300x800000000000000054338Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:24.933{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC32D37C9AD3F7F9120AC1496CB4935,SHA256=3316392693A543A835A07F2A9C9B698C3C906FC2F77094C82BAD8C41F01A58A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:24.457{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EAA055A7A67167C8A3DD43BEE9A739,SHA256=8C65798B665111558D5F371B7EBE3ED3581B420B75176D0CF5E8935768B8FCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054339Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:25.948{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D6B2781352A8E0B3A12164C10E4A09,SHA256=92991A77B802C5AA4C4CE815B47A08866781EBD3822967D2D54D4B7CA11800B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:23.609{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:25.473{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3834A99711671931E54B24FF981B17CA,SHA256=8BD8B9A8A79EEB8D5523BD1603977840B7E956E611A8D54E25C0179AA029BDCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054340Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:26.948{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCD9704145D2CDE9343EEE987E4AB9C,SHA256=DE1986A5E652D27B4E9CB9E408953CF2A0F772B9A7A35F85487791E501A081C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:26.488{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F826DDED98EC5A601D2167DA034DF4E2,SHA256=16908C5AC1ED68A6D2815653691ADB5905771E16DDCBAF68D31212778A740E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054341Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:27.979{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A13D8485ED3B68D7960326A73D4110D,SHA256=037015A5C24E2B243E405184C2A67687B5F4F0F31105269481DA74520B26D3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:27.504{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CB8C6967D003A3AD021C9D9038E44A,SHA256=B61986F1DCD1684277E3D8069E5D835BE9EC36EDA12675CCE68298F8E4C96F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054342Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:28.981{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA2594418621792A2E117D0A47384A3,SHA256=63F7BE1EF9AF679D35D4F19542C6FBBC1EA91BFEC176AB477141922152B00E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:28.520{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F40F24CE7ACD6DA89DE54F36C3B2F9,SHA256=6F7DFF4CA289AF8A5BC1191D53BF8D3BF2AA1E926A78338EAB4DF7DA93AC9F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:29.521{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0405F97A5580D5D6FAD9BE156A84F4D,SHA256=90A5BA226CC2BAF4DD89F62AD792CF51890DB4CD4C77FE11CFF88D47EE54ECDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054343Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:28.108{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50162-false10.0.1.12-8000- 10341000x800000000000000037211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8362-616D-0908-000000000502}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8362-616D-0908-000000000502}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.740{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8362-616D-0908-000000000502}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.741{6F8252D3-8362-616D-0908-000000000502}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:30.537{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D74F4C15E68A0A2F9C67EB0E17394F1,SHA256=E8CAE21AE6B5F1535EC5ED1B3D2D1911E21EA01AA7C9EB740132AA7E19AD6166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054344Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:29.996{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08600731847CDD85E02A4CDC877B8912,SHA256=30A0AE4A85A2CBC1A38C8CDCAB84936514DA1071BEAA37DF577F9F31450FEF54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:29.626{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F19A32E75305E74A7A04BCBDFA8DAEBC,SHA256=8365560E16FCF927E0F113313D82A45FC9B9F35C72174DE94F8AE3728735D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECE05E33043A7DDE44F32B78563AE850,SHA256=78978408D5C534CFCB1A2E7B45D68711F31CD78347E8260207BDE3CAE85B0193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8363-616D-0B08-000000000502}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8363-616D-0B08-000000000502}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.912{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8363-616D-0B08-000000000502}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.913{6F8252D3-8363-616D-0B08-000000000502}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.881{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF6BEBC48F7D6E93429B0713AE7EDED,SHA256=48DB14430916B5C6195BAF4B96D6EFA54FB332BDDF44CB5471771AF6F19066D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054346Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:31.375{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-164MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054345Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:31.201{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93C68E873DC19DD8E482F0370CC5B12,SHA256=7F692A0BF6AF39B60416CF54DE51FB335619CDB6CE10B2CCF0B4CE2D3A94FB73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8363-616D-0A08-000000000502}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8363-616D-0A08-000000000502}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.412{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8363-616D-0A08-000000000502}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:31.413{6F8252D3-8363-616D-0A08-000000000502}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:32.912{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B513DC5A3921420C592CD3FD97BB6F,SHA256=A34C813AB12660B42CC1634A21B11093FCC4B05F7EDA7E62A78984ECE2C8F551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054348Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:32.390{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054347Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:32.217{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205937582E5957A74337F6BCF27DA276,SHA256=C9345863B1011A609AB581E4952FD46E79DF189AF6ACE287292B766F84231CFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:32.084{6F8252D3-8363-616D-0B08-000000000502}37001712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.943{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB71619436DF2D6610B05EC59CC3A0E,SHA256=269B799993ABBC15637653D5B0330639941B897E3D2E3123DD133E93DFA8E636,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054353Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:32.391{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50163-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000054352Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:32.391{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50163-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000054351Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:33.672{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=377722639CE2EE4720A1ED04A5F07E14,SHA256=F5509E163B99BF6808828E8C65154CD3714B4A0354EBD1B9CE68CD14BB02892C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054350Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:33.672{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16089F376795A1468D039FCD257AFA2,SHA256=11741A2C7D977B433FD831574F9FF32022D7A740CC8A675992189AD3077F8F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054349Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:33.266{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEE143E1EACC114C576BBE81371C419,SHA256=76C2292CAB3ADD71DA0A65A6F89C9880CF7FBDE091A7689A9F29C01F8507BB58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.256{6F8252D3-8365-616D-0C08-000000000502}17403148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8365-616D-0C08-000000000502}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8365-616D-0C08-000000000502}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.052{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8365-616D-0C08-000000000502}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.054{6F8252D3-8365-616D-0C08-000000000502}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:33.006{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F19A32E75305E74A7A04BCBDFA8DAEBC,SHA256=8365560E16FCF927E0F113313D82A45FC9B9F35C72174DE94F8AE3728735D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054354Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:34.281{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE59F9A96E7C808DBB3C884F9A02F6AE,SHA256=29D114D8F6CA2B6DBCB28FA78B706D5AEC0069232C720743FAF990E7972B19CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8366-616D-0D08-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8366-616D-0D08-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.193{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8366-616D-0D08-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.195{6F8252D3-8366-616D-0D08-000000000502}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:34.068{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=287B7E9143A7CA7C57EDD0278666828B,SHA256=3979FE6D47F5B058A330CC4C065D93FBBA0C2C4F9BD01788E84268D47DB5282A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054356Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:34.019{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50164-false10.0.1.12-8000- 23542300x800000000000000054355Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:35.297{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366B313F9EDFB45FAC6C1DC483F52EE0,SHA256=C5CBB94A860B402C6AA707C28B19159374CBF1B7207421A727578412B7167AA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037303Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.943{6F8252D3-8367-616D-0F08-000000000502}29922108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037302Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8367-616D-0F08-000000000502}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037301Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037300Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037299Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037298Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037297Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037296Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037295Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037294Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037293Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037292Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8367-616D-0F08-000000000502}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037291Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8367-616D-0F08-000000000502}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037290Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.756{6F8252D3-8367-616D-0F08-000000000502}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037289Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.256{6F8252D3-8367-616D-0E08-000000000502}10323784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037288Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.209{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E89303A032F1743EC145B959092D7B,SHA256=D2FC6F1FD6218EECF53FD7CCF79649E34B5C79CCBC596CBA1C8CF05E17CCFEDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037287Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8367-616D-0E08-000000000502}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037286Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037285Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037284Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037283Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037282Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037281Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037280Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037279Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8367-616D-0E08-000000000502}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.084{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8367-616D-0E08-000000000502}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.085{6F8252D3-8367-616D-0E08-000000000502}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.021{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B9172933A67E0002C1EDFF9693FEC9,SHA256=718AD8B472398B6596E714609DD1A2127BAD468205886F54EBDAB920E630E81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037305Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:36.802{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EADD0B44CB028D2C3315B3B8EA9B42E,SHA256=B3E9045F916C721904B499857D95C204ECC4174851E71091C082559756FC3E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037304Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:36.521{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6454B63F00E3A2908075A57026FA824C,SHA256=108E946B78D1CE330051853704A7B0E33E6887DF4086CF5A4DCC915B2A0EE596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054357Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:36.312{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148B61A85D00C5900F7665B2B09E8D53,SHA256=4B664C0883F3812C0F05A001AEFB03DE254062D6187240F5BD5837FAB1B3B2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037307Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:37.537{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589061E026D03EEF698986CC0DE79114,SHA256=1F245B0EE84AAADEF7D6E66A41BC5DCE15CB928D54C3890336B0420C48F6012A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054358Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:37.328{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D89A18CE11088AD86064E75C2A87159,SHA256=ED0E0358A1E708471C69DC9C3D64543FEA9BC366DA7E6286D7058561F9B4BE93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037306Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:35.532{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51671-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037308Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:38.568{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5488A4D3B2A8C4E3DB2DB0B4345176E,SHA256=2CD0B5826816B7DABDD06E9A066C5A4C9CA55DB54FED319030990F0F2F7292C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054359Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:38.328{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5877D3FD2DB7B317329683FC3AB821C7,SHA256=0432B94395CCF9741BE9E8C3C350287121969EAC94A035FCC787E5170D759E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037309Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:39.599{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAF199C59B1A6B68A95CA808CB9105B,SHA256=C4731BEF21BFA96184F14EDFABDE5EC1E4923E9F8B49C04D91DE9B765023E2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054360Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:39.344{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BC5592097B0413575D75F8A616480B,SHA256=3D4704DE0A9910B5DA062ABC0DC991C1C809E5FBAB84B8DC0C6A9138B646A625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037310Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:40.662{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D19F535CF62CC42155FC1E1EE4B785,SHA256=6E5597D3E8ACE93007C0423A8A212207E6FE3C1FD3EE1ECC731279CEC0E7517C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054364Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:40.359{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321DA266ACBC90A74679055633CEFD6A,SHA256=2824D000EDD6F4C1A3B6F0B702E860D8042F9A2A8C2999CE80F8840ABB5EDC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054363Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:40.125{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054362Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:40.125{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054361Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:40.125{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037311Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:41.693{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB497DC7817952D993E184B11C83EA7,SHA256=5208FA9260C2E32131446CFA1C2D364926AC1CDF431092C45B16AB3C7550C5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054366Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:41.375{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F731E59023075D1F582EE29605991C13,SHA256=1491E03FEE9C710BBB59665088157E63055A87DA93829D5F837AAB1645153151,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054365Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:39.035{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50165-false10.0.1.12-8000- 23542300x800000000000000037312Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:42.709{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8353449B67A5F0041913480ABF4259F2,SHA256=DF86D75B7FB0381EB9CF68428AA1628931B4305B4C9A8CCC2E65F0587E2A03DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054369Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:41.584{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50166-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000054368Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:41.584{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50166-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x800000000000000054367Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:42.391{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA735D44ECF4FDEAC7C85F639D9EB93,SHA256=CFAA080BC26A3672D5532E1A298D95457DD9E19B3351ED06D6A591640C87015B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037314Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:43.724{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAAEA3018FFF71CF68367987B904523,SHA256=C3E754512AB53FF5D98AC505920F28DCCA688C996E01ACBC336965280A5D73CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054370Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:43.406{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B26482E1C21C57C5E9B42657E7AF71,SHA256=C18C1EFE6E7F5A28F0AF6E2171E8E3CD2B4C952A25CB5EC2FE90739D2DADFB9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037313Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:40.626{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51672-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037315Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:44.740{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8F1454A5D844AD3967B5A594328EDF,SHA256=5CC8525F2BE7207354DADE4C0A777954A28AA738C599E22F4D1235A4148CCC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054371Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:44.406{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C171FBD82FEEEBCF4653ED0E467682F3,SHA256=868A14816DC0A8A5C26907F12C1FCD5E319B09827D4BA4241BC2368F38ADD6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037316Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:45.756{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFD445DA4DA1E442EBAF47D8709687C,SHA256=894C30CC598DCCCB4568BF5407CCE53D2CDC27FF5CF77230F8170F9A99BE8A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054372Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:45.422{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0B37DBACADC35D84FAD5283394C46A,SHA256=F8C578FA17F4EBDE30F3EC7F131ECC55707BD9DB552CCE3A99827D892547AE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037317Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:46.771{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C726771641503003CEDF5E9B7A80A1D5,SHA256=A0FD56A4D3F7BA81C85C46F877A9DFA7BED71C4040F07202A09AA0D06B5A218A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054374Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:46.437{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF9C298B68C8C38659B1E69D92EEB1E,SHA256=B57E4A6E127350E5C864DAEA798A73A419627D18DF8C5D6C352DD86CDAB37AE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054373Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:44.050{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50167-false10.0.1.12-8000- 23542300x800000000000000037318Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:47.787{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32322A7E28B39C0B743612BFF348ACB1,SHA256=44A591E0F8CA31D6717D9804AB7CD88FEBF2AFD02C3F07300330F920CAA7EB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054375Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:47.437{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204E56D920ECB613951E687EC9BD497E,SHA256=762FB28B831F3778099317E84BBAEBF0C4DCD291A4A35F087D36879232A3EF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037320Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:48.795{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0D99EDAE1F0EAAB33982E331AD3A4F,SHA256=5FB1E8300241BFBA169A11FF8D6E3A44476DD9FCCE39357BAA362FC5B134F72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054376Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:48.453{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77849FCB11DD3084F1EAABAF9CE56FA,SHA256=CB1FE16ABE78C778F4720E37447DC77F9E224B74D74D2D281CEAC80D5018BA06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037319Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:46.626{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037321Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:49.858{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1758113A20B7888F829C92B2EAC91CD3,SHA256=49AE80E8FE4C2C65280011C0B7C411DFB51A886C9DADE75BC0BABE88FB42BDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054377Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:49.458{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8684ED7C99D94534044AA06CF06F0521,SHA256=B46A1289EAFD6A1613B88DDB2C32AB54BA44B12E3053B4D42E4C86C9ADD8C368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037322Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:50.920{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E841E787B67AB39C50E50EA67A56D2E3,SHA256=FE68BD775D571C2F18B05CAE6073DD3BAC946C91E5858B60D9D65847C4847DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054378Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:50.458{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6913A40129E2E73F53A5CF78C5A7141A,SHA256=434CE920B0778B0968133D08F5CC58ED6F0A4AEA85726989057D385191B796B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037323Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:51.952{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B37B4E3BFC986F020CAA9A67BF6BA37,SHA256=9A4FB4864A12A4595110CC030D30323B295753BEC07D78813E42250E66F2F0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054380Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:51.474{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7240DA66F247B2D45CB53417BCB56E3,SHA256=F35831D4904AF08EC8E94A1CDD8FD942F13EE7BE99D1BFFF3E5BE4674397DDBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054379Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:49.087{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50168-false10.0.1.12-8000- 23542300x800000000000000054381Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:52.490{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D3E351B841AC22158BF9219E2208C9,SHA256=80D03078D4B3DE648E26500E934CC06692195C48B4BA8FE94E4D4AE2A18E1AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037324Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:52.248{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D6519F91CB08FF8F6765C48AF61DB11D,SHA256=7327609EEE243413342AB6DB976931210E8745C669FF8C8DD4F97F3E9FD8A1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054382Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:53.505{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8ABD23BC4B52945010206C720C7210,SHA256=CD0995EC138757922D5FA800C5239EA7E04A11B31A83803180937622512489CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037326Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:53.032{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-156MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037325Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:53.014{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F918A0A3C57626067B1F4F7C52426203,SHA256=F23E5302335C46DA99A6D55A0B4A1BD243AE532D8175B47DFB25F8B6D1FC9D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054383Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:54.521{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3371F068E78711F49580D43D02A549C7,SHA256=39B5046229B876D25B6D24E02B5CA9A07285430E89EB4A76C64D3366FD3ECD69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037329Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:52.571{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51674-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037328Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:54.047{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51332B137C09700211006C94CC38321,SHA256=E5EBB7017AF70D401EA7C23820E622275D2FB650CC8E702FC550CB886407DDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037327Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:54.046{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054384Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:55.521{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD89E8BBB2F35F59DFB8396C503BDD7,SHA256=635AF96AC93E22BA23CFC2906576C2EF4CAEC4692355F6CBFA083F0086EE71B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037330Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:55.093{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6936787A10E69FDECEF1CEA5AD9371C6,SHA256=44EC93AB3A5AC40883A80E066E0C352AEE0899A9CCABAFFDBA16A2939FDAA46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054386Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:56.521{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85C448F21C9D23F876F2C9C83B65415,SHA256=17DB6C15CC3DCAD5A10212AAFA3BACB47D1EE0FFD151EBEF25C0E9107AB2BDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037331Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:56.108{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D2803C2A0E15DDAB0CB2E54F2E7FDE,SHA256=21A33DE1FE33DE141B09EA05602CB6A26BDB565C8D6E2839393F1FE2C87D5A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054385Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:54.946{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50169-false10.0.1.12-8000- 23542300x800000000000000054387Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:57.521{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7B263D804EB094B058A572192D29C1,SHA256=60A39501B97E744BF4D0946C28E1535268F6BC3676D053EC6A71D8D6B68CC789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037332Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:57.171{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAA1C4F33B23D178328976DF44E7CBF,SHA256=F970735258C9ECDBAB330D3537D4457850617694370903B64A7BAD7FBABB7705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054388Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:58.536{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315E7C1E0BC07327625DDE0B380FEE6C,SHA256=280A09FA61B4065D33DF666932ECAD6A6740D2A94E80D96626CC5398DCCF9837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037333Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:58.187{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C600471A7C5C0171C415610903C833A,SHA256=18241F9AABE676826CAE0050595610DC41BE970891C868B2C22CD6027D8BA380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054390Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:59.739{8D4DD44E-5BA6-616D-0B00-000000000402}6284100C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000054389Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:59.552{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8F3F7E1429F4A8F02F2DF5FA08AB16,SHA256=751D648BA651C7C92B8AE630D9F41081A2E14485D17CD94B900F89CC60AE33A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037334Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:59.202{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA7785B3BC546BD7EF16ACB4DE147FA,SHA256=A9670207A9A816F1F158682EE27B56CB51526549F78FA363F654E772C8924B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054393Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:00.755{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2710BBC23AA76AA8831BCF73DDEF7EE,SHA256=725C3C619CF27EDCBF2556A9EDEE6AFC197B6A6618F2CC55F7405E3F198C9BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054392Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:00.755{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=377722639CE2EE4720A1ED04A5F07E14,SHA256=F5509E163B99BF6808828E8C65154CD3714B4A0354EBD1B9CE68CD14BB02892C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054391Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:00.568{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A315B938BF9CF28A5958C5609CE5179,SHA256=923BFB6FB013832A952227E85DCD09A79DD9FBD5455AF9EDA12EC8E97010F22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037335Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:00.218{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D3759D16EC6E6C1AEC3981D1259161,SHA256=6C06CAFEF75E138A2F64EE41511A4BEE30060CC7D8D918404F4D2B49D3B8541A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054398Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:01.927{8D4DD44E-5BA9-616D-1600-000000000402}12924768C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054397Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:01.927{8D4DD44E-5BA9-616D-1600-000000000402}12924768C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054396Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:01.661{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD02CA63582FAD2A6239B3C7A59FC2A,SHA256=112D6A70040B9A50FCDEB8EED989ED2B6C535FE976D1F9234840052F6AE64093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037337Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:01.233{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1706FE04FA8E621136A55501C11F7D,SHA256=60857DF22C241C69DEAB46C495B7613D4CC9A07525895CC66D752B7FAFDFEE70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054395Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:59.587{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50170-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000054394Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:23:59.587{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50170-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000037336Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:23:58.556{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054400Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:02.677{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A5E9A8679BCC2B2CF9C7D88224CC40,SHA256=6F9907657419CD3BCAFC5DBF2A16979B0E1FACE0819E5F58583FEB64A2BAD68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037338Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:02.249{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230F08BB2AC5B85157BECD08B6EE8DE1,SHA256=315F3C53EE4DD75DF6F3E5D9B377D4A4B71E45D5CA330D1F2E3C0BB4E19F2897,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054399Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:00.993{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50171-false10.0.1.12-8000- 23542300x800000000000000054402Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:03.708{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F4AB53B52075C5EF0BF63C79FD37D0,SHA256=23C183873027556A047462B30BB1F665829A3CC16007086AB3333EB0898B32AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037339Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:03.265{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DD8DFD384AC964B8636B8E730C855B,SHA256=9B9D3A16215D6FB1E145944249313FCFE685836F0C634D972BFC1E7BADD4B120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054401Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:03.052{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1C30155CDD1C56AF8D0F85781B109579,SHA256=C6653762AA9145D8221714226AF9A1E294A01CCE4E1405AF2664924461DAAADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054403Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:04.739{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884BDDC26CB9C8A997B348FEEB240C1,SHA256=CFB169AD2DB91A737FA08E0EE65889398F30881CDF5FC3276F29C8E4966A7E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037340Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:04.280{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19531F71B8B8664D07B081235268EAA9,SHA256=24ECBDB72943F3044F7A4CCB0622D1978E0483CD794CF71984E6CF0979133510,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054412Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8385-616D-B40A-000000000402}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054411Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054410Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054409Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054408Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054407Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8385-616D-B40A-000000000402}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054406Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.989{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8385-616D-B40A-000000000402}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054405Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.990{8D4DD44E-8385-616D-B40A-000000000402}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054404Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:05.755{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6D06D075986E023FBA6302A34A3578,SHA256=04C53D79D2C215945998DC7FC742C2B2414196A48296146873BCF787C1ECB447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037341Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:05.296{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEEABCFD9451C94E5CBD7B61B14A4C7,SHA256=44FB10C188AB7A7E22A4121668123780FCCD8CD004D0CCDC0C68E78DBC768385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054422Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.802{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BD6C519DA00B521D606CE5EB6F2582,SHA256=2D0AC872C236E795B7B24A2B569278A21AF0EEFBD9EF47EC716E4EF81F019F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037343Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:06.312{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80361B41CDF8E317B01D187A64799730,SHA256=BA7F7978409C61F3120DA61F090B315B1BF0B35CAF7C28B453975082CE01E8C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054421Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8386-616D-B50A-000000000402}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054420Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054419Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054418Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054417Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054416Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8386-616D-B50A-000000000402}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054415Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.661{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8386-616D-B50A-000000000402}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054414Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.662{8D4DD44E-8386-616D-B50A-000000000402}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054413Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.177{8D4DD44E-8385-616D-B40A-000000000402}44722836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000037342Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:03.744{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037344Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:07.358{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97240EFAE52BFCB11CB561E41493123A,SHA256=F257A4DE319B1792B30E6A96A49422B55324EDDB2711164F2565F8794F1209D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054440Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8387-616D-B70A-000000000402}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054439Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054438Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054437Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054436Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054435Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8387-616D-B70A-000000000402}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054434Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.880{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8387-616D-B70A-000000000402}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054433Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.881{8D4DD44E-8387-616D-B70A-000000000402}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054432Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8387-616D-B60A-000000000402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054431Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054430Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054429Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054428Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054427Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-8387-616D-B60A-000000000402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054426Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.208{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8387-616D-B60A-000000000402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054425Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.210{8D4DD44E-8387-616D-B60A-000000000402}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054424Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.021{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE65D1E3CFCAAA6F7144A00CD926DED,SHA256=20FDD71B14F5BD8EE01E00F81C845CCAD6CE1BA7496805B629EB1A885C3B8617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054423Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:07.021{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2710BBC23AA76AA8831BCF73DDEF7EE,SHA256=725C3C619CF27EDCBF2556A9EDEE6AFC197B6A6618F2CC55F7405E3F198C9BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037345Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:08.421{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C03D9EBD41C16DB1B302491FBB4DD6B,SHA256=CFE603ECA5A36EB3DD714A85E099CC47DD35CDEC31E70C87C54707A13EFBEB5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054455Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.739{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054454Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.739{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054453Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.708{8D4DD44E-8388-616D-B80A-000000000402}53086560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054452Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.708{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054451Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8388-616D-B80A-000000000402}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054450Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054449Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054448Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054447Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054446Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8388-616D-B80A-000000000402}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054445Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.552{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8388-616D-B80A-000000000402}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054444Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.553{8D4DD44E-8388-616D-B80A-000000000402}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054443Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.271{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE65D1E3CFCAAA6F7144A00CD926DED,SHA256=20FDD71B14F5BD8EE01E00F81C845CCAD6CE1BA7496805B629EB1A885C3B8617,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054442Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.083{8D4DD44E-8387-616D-B70A-000000000402}14487148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054441Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.021{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F767BBCD8F67EF0FB834D8D39527BB9A,SHA256=AE721DA5D3DC3EDA2079554B9054B3813F962074FFE7E9DAD9DBE83A7420120C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037347Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:09.488{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037346Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:09.441{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF37017C16BBB90B05C268F0D3899592,SHA256=379D7DB664C8DEDF6B84FB7B7A154C0A8112B1B2F274C38C66C983EEC29F68B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:06.993{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50172-false10.0.1.12-8000- 23542300x800000000000000054466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.557{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D19E3B21A48586D25B0764E503BD45,SHA256=5B8A1063DFE542654498878A70E4ACE182FAF2B18BA7B35E853E857076F7F060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.354{8D4DD44E-8389-616D-B90A-000000000402}65525220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8389-616D-B90A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-8389-616D-B90A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.213{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8389-616D-B90A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054457Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.214{8D4DD44E-8389-616D-B90A-000000000402}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054456Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:09.041{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85079E123A652315ABC90019ECF138E,SHA256=A70307D75F3EC56EEB3C1DA6308E19305F9AC36E7D170347ABD433DFDD1A584E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037348Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:10.488{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3372B377615E68774D5F7A568E3EF327,SHA256=372F5BDC13C7107E618E382579C1BAB48AA3139B5002F7F560A1B31C7BE66174,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:08.556{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50173-false10.0.1.12-8089- 23542300x800000000000000054468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:10.041{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554538203D5FFAD4BC0A3592366A1E4F,SHA256=373D61262F9095D510854CCAB215573E371319B7B30A52A0743B79E8B57406AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037350Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:11.550{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE865C58196F7A243018D6CA73E82E5,SHA256=20690EEFE4DDAFB036D0C401435E0BA1EDA07A12506F41E79B7DC8E902EE44F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-838B-616D-BA0A-000000000402}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-838B-616D-BA0A-000000000402}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-838B-616D-BA0A-000000000402}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.698{8D4DD44E-838B-616D-BA0A-000000000402}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.588{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1335385BFF7EC3C6C761923A66F9D1C0,SHA256=9AC8E4973FB1AC59A9D370A8AD5FC0A08D817E9C677A8B0401F0AE9BC7A03621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:11.057{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3677BDE8FC355612D09EE36CE14222FD,SHA256=861DF00D64E16A03CCD75F1FC54598840910FBEA56460956405DFA33E3B1C5AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037349Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:08.951{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000037352Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:12.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C634BD78ED4ED52E5D36DBABEF9D9B4D,SHA256=0E8C863A397A2E546CBCC4C97D518B849550F66A6DFF84B24BF7CE3CF2FD202D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.713{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1A349657D2B34F081817F8C66445382,SHA256=A77DD7D3087FC59013A76A9EDEFC69BD638B779D6DB147ADA6420D4A9BC130F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.526{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:12.057{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31F4C116496F24C15BAFEE1D3EA4F9D,SHA256=D1AFA957B896BAD1F650E0FD42E95387714C68BECB0AE508CD7BE05FF9CAFB3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037351Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:09.482{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037353Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:13.644{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99974347FD5647FACC41B1BAE78BA67,SHA256=DEDC1065202A5E3562B74A55B865112AA9F96D017DB87076C09C6C70DAD2D3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:13.104{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7010917DA3156B442B6154CA162853,SHA256=C36711DFACE99D9C4B1DDD2EC50E0A82D43A95E9E5CD8D1FC4D4D167625DD827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037354Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:14.660{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B76605E3874974A825760077812783,SHA256=86B84211F7F4390851D92DC475EC261FE052BAA89C5DDB492FC3AB4F724F8B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:13.029{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50174-false10.0.1.12-8000- 23542300x800000000000000054490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:14.119{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6DC040DF2A475136167668DC56CE1,SHA256=D31A376FC233AC8E3404E991DC2EC5A6197605822784E536F6E8C010676A7704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037355Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:15.722{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630641A414D29B1CFCD97E26AA442B82,SHA256=E00E9F93840F8829D406B1ACDA22FB38DC215800E92CE7609A084B9858A9C09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:15.151{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDC6C7C7DBF7F120F3CC41331F4FF15,SHA256=ADD64F40635998EBEC4B88A9098261FF070F575A9BF77D7218B4DB2D81F86BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037356Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:16.753{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A98015139D3619CE977F7CCDF3C077,SHA256=76D604D06B59FAFF0B204876D58EEE68625FF05BCAC5865055CB03244B359FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:16.197{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91904DBE3F6835F039804446EC1EA98A,SHA256=C198E2BF70E07E5A4F1C5FB392E4845722E3D553025B8380A0D861370450A895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037358Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:17.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86359161F89D8E73FF585B5082C5A6EB,SHA256=BD4F4AC713E89E83B3CA090C5A95F302FD603FB38C402582CDE5B7401E3B86E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:17.213{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454FD278EE6D45FBBB1C68E82CF9DF66,SHA256=FA79829386F76735CC373F3C98EEBD09E500FAA3C035998EB6E1FE6FABF27797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037357Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:14.513{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037359Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:18.785{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A2AA7B1F70188C3C61917FC42C7528,SHA256=954BCEBFDCDC26DB0C3077FA1E01AF229D2C91DD671B96675979A9D98844AA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:18.229{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BB0B0AAE6CDBDF80F5A83562C573C6,SHA256=7E27C4F1C72ADBE747FC32267BDAD8B42C85B680FBB12B269E134A94A2BFEA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037360Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:19.800{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7DDE4302AEFE136622D7CF713EF1C7,SHA256=BF2C80FACF818386F946754ED188F84208CB0C286A3CBD97C0A1F55B138FE148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:19.244{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EC884ABA781F1BA61AE4F5D31C8FAB,SHA256=C07BFC2DBFA945A351016A605203D69C6CE793653818B1D179647C124DF71E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037361Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:20.894{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EBD839044B7B073392E09F8106F66E,SHA256=FEE0F89F6A67DC06041372F748FDEBBBAD3FB15A8255676C25A77F2C311369E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:18.966{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50175-false10.0.1.12-8000- 23542300x800000000000000054497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:20.261{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BAAD47307495A170337410293E5A2B,SHA256=806550D8D32FB7F35AF4DB184C03460F19469EB4957489E11DC08DBCD5C66229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037362Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:21.910{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBF7A9BFF29E4A79B951A788D85615A,SHA256=0D03EA16D85ACD450957C92E143154C94CEDE788C0D06F8E334BB5EB4D860489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:21.277{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81644C67346314ACAA0D219E083210F,SHA256=0C77AACED758E7C60003409F4EF8A9647AB7F543312FB2A1A6AB3E1B1D42C938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037364Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:22.925{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0595A6B9B15E00E16567A07878030B,SHA256=082A6BB33DBA10D529C38A668E491164BA7003F205FE609B71B80559D638A16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:22.277{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A21DDB404B7AB3E5BC81AA0AC48DC1,SHA256=CC8FF3940A0F3CB9D27CA5951EC91BBAE92E930DF65A0DF130E7143A56B35FFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037363Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:20.560{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037365Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:23.956{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20975D764376AE48BA30557847D17E19,SHA256=8E1B3BCBB6DF7392D4F577F0EFF59FC2B93092B26A0D41F3338960F3D972693A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:23.292{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DCBA35FB2123A5DF10C0630D1EAAEA,SHA256=F20EE547C1CE0E68A3C25E3F05A6400D6894D5E2ABF3E928334F70F7714F561E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037366Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:24.972{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E86AEA84BFC82799364437DF4F2436,SHA256=0190A977460CE034C4C222694FB5B1BA3ED88113D2E9E34262265AA6CC3DB630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:24.324{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDAF7231E8280143DCF08B7F015C3F9,SHA256=65394C100A397EB4CB8921F24E87A3C4B3EAB83971527064CB24930ED96B412D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037367Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:25.972{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9A6A0720F9C10C83D8122D08679631,SHA256=812B43216A4FAAE71131BC45C58EAC91E58D83F2EC59E5B47E70F82B4C5324BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:25.339{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25B7E638F4C549A591233F94F7D2045,SHA256=44B59AC3B7EDD2F64EE2EE2020BF3CC2AE6FC572A8B9A691381AE28A870168A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037368Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:26.988{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EAB2DE885066BB301ABCFCF5B87F4E,SHA256=62F0E2CB66375827D6826EB7CD113CAAB6BAA30A3CA485285C671335F06DAE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:26.355{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8E823440B35E373F0B8EA6305105E1,SHA256=07F673BA66FCD4FADBBDE0BE15BCC71A5877CCD73E3930E80FEBBD092532B114,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:23.983{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50176-false10.0.1.12-8000- 23542300x800000000000000054506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:27.355{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1AE74BD915AA5E0BFC7AC1F39E3EB8,SHA256=489BD028DC0FB9EFC1A875FA542312AEEC5BFED8AEE20F882D1130D3B3CF6DA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.745{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:28.386{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C865C458E96E7EAA50022B696A05039,SHA256=F9B6069BB9F82C37ED50C96116F7FDC86D0984D33806BAA8D10E14B3113E7DB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037370Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:26.544{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51681-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037369Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:28.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EF90BD0A33D21AC0FFE9D0E05173BB,SHA256=64DA2CB9AC7AF0147CAD404D56A24F2B1B96284AC68BE5873194754DE6CABD9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:29.900{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4698E322A3B0F16C8E18A085C4D55574,SHA256=FE8D154138A4D1911181A8C038CAAD7F6DD371B8AA122BB09C235D4D30E11C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037371Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:29.018{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFFBB0545161D921F11B76E0670BCC5,SHA256=F3F3EA13A56E4EEF3B1DFFCEEBF59140AFE7CF6A951BC1E6E4B0E4AC89E90E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:30.931{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38DABCAE396756057256D6F36940007,SHA256=72D4C979BAF08167B2813460C283C25F84623FF38276F189CE43D55F7ABBD156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037385Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-839E-616D-1008-000000000502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037384Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037383Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037382Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037381Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037380Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037379Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037378Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037377Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037376Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037375Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-839E-616D-1008-000000000502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037374Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.768{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-839E-616D-1008-000000000502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037373Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.769{6F8252D3-839E-616D-1008-000000000502}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037372Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:30.034{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F4F4E0D9C00A4CFA05BBF64E5F9F3A,SHA256=5EBC67DBEF450E7D452A93B1D3574A1D10FDE29F0137BBDFCDEC1DD58BBE78AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:31.947{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93478B01FE5B81DC9FC3996A59FAA411,SHA256=33E0DEC08B2386736278932D2198C94FAF4CBD1EBF810E5306FAC34D5D73D2DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037402Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.878{6F8252D3-839F-616D-1108-000000000502}3956972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037401Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.878{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC467E1AC3F1032E551CCBD3635382C5,SHA256=2FCC0299B8B7F6755BB9DA0205D5B735FE7DDD5D144BE955046329CAB278883D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037400Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.878{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FAD1D34BAAFED5E2EBDF420C0E88052,SHA256=70AF7E0917A2088CBC8B85CC7863729BC30EE2B6F6586C3472055A618066A229,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037399Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-839F-616D-1108-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037398Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037397Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037396Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037395Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037394Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037393Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037392Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037391Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037390Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037389Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-839F-616D-1108-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037388Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.659{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-839F-616D-1108-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037387Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.660{6F8252D3-839F-616D-1108-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037386Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.034{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C550F340F6356139AB12FD144F5260,SHA256=32EE4330BB6BF4B414B1108F68B8E7377316C690922A024334227F38BD5B2BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:32.962{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B758193B1E24C00E4F1EE05C319FBE,SHA256=BDCACA8D2637391650C824FE4976071A8F1D485115127B84549AAD290E749BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037416Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83A0-616D-1208-000000000502}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037415Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037414Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037413Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037412Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037411Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037410Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037409Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037408Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037407Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037406Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-83A0-616D-1208-000000000502}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037405Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.159{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83A0-616D-1208-000000000502}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037404Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.160{6F8252D3-83A0-616D-1208-000000000502}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037403Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:32.049{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8533F881C80B86B556C5471A28D634A,SHA256=C89776E05CAFF1E342C69C7060361AD8FE27B492CD8020E6F0519481BBCE4E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:32.918{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-165MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:29.981{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50177-false10.0.1.12-8000- 23542300x800000000000000054555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.976{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BF1D902AD980FD07BA67BA2CD8A63E,SHA256=F2642F991E5F88CABB129719F54EE32B896035D8093BA7EC91C76756D8FC7EFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037432Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.221{6F8252D3-83A1-616D-1308-000000000502}15163288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037431Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC467E1AC3F1032E551CCBD3635382C5,SHA256=2FCC0299B8B7F6755BB9DA0205D5B735FE7DDD5D144BE955046329CAB278883D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037430Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83A1-616D-1308-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037429Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037428Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037427Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037426Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037425Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037424Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037423Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037422Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037421Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037420Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-83A1-616D-1308-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037419Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83A1-616D-1308-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037418Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.081{6F8252D3-83A1-616D-1308-000000000502}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037417Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:33.065{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170B38DB5302989BEAAE1931BE89E071,SHA256=CD8FC89E3D37B2C85B4C2AB7E5D060E9C84123D224F7F73271C23C267BCDFE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.932{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.634{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC97E01FCE68D7EC7A462E3197BBADF,SHA256=6416D0F94B3078CABD4375ADF165A795ABA49BAAEB0185F010D8DA3A8A131988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.634{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B54B18E1EB057CDC45465A655903761,SHA256=12D4FBF9B7674EFCB8F6E0E08557953404852C2E4D5F045F6B093AC3A16170C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.196{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.196{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:33.196{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1500-000000000402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:34.995{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1DB71C183D06BC6E1D3EABDD588283,SHA256=BC52BD245E9C7C61B082DB7CC9862EF9083BD6A88D4FA5C105EF83BE1E7DDD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037461Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83A2-616D-1508-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037460Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037459Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037458Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037457Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037456Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037455Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037454Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037453Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037452Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037451Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-83A2-616D-1508-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037450Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83A2-616D-1508-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037449Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.878{6F8252D3-83A2-616D-1508-000000000502}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037448Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.409{6F8252D3-83A2-616D-1408-000000000502}33723224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037447Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83A2-616D-1408-000000000502}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037446Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037445Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037444Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037443Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037442Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037441Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037440Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037439Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037438Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037437Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-83A2-616D-1408-000000000502}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037436Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83A2-616D-1408-000000000502}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037435Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.206{6F8252D3-83A2-616D-1408-000000000502}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037434Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:31.700{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037433Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:34.096{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7E293148645ADC6F391B6AA595306B,SHA256=D709A7BFB04DC42252A8DC639F736464B9794685F4083323493657B8B4479CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:32.419{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50178-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000054556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:32.419{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50178-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000037477Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83A3-616D-1608-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037476Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037475Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037474Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037473Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037472Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037471Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037470Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037469Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037468Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037467Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-83A3-616D-1608-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037466Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.549{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83A3-616D-1608-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037465Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.550{6F8252D3-83A3-616D-1608-000000000502}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037464Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53006CC47DACD25AC885158E025C902E,SHA256=E5907EDE9E51DE6C7467A5E5F01E84021C58D3B8DDFFC8401BF557A17B1A5C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037463Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.206{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B789246262AE8F947675E822632053,SHA256=2AAB929CCCCE4650B0707F2A7E648D57AC7B3BEFFD067003B2CE6CCD9ABE1CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037462Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:35.065{6F8252D3-83A2-616D-1508-000000000502}3516864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037479Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:36.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B5401015EB4F479A3C1C91A3015A0B5,SHA256=E2758864EC29FD215E6B9F8E3AB036597804E2C9A7077D9C194408C9114F0BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037478Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:36.440{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D08053B619EA3548287DCECB2660BEC,SHA256=A5524A26A3ACAA00C220A672A9A6518015F8B731C1E669957DC8ECDA5EFCD06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:36.026{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467D0DDA4141DF37E77B9C4767F9E065,SHA256=0D2765B3DF3C5D7FE04F32CA0F6B5E4901CBDA3425EA46C142328266DF3A2927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037480Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:37.503{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B4B427D83BCD5DF6E5EB62132A7286,SHA256=8215652F132437AE6D7EC48238E315E02BFF8BE995449B2F0304C69ECAD509A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:37.058{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8C93A396267410C0DAC90D34D723B8,SHA256=0CFF3D5E51475562CA7CC2C1E30E4A294A3417F419B286F21EAD11C99AC7549E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037481Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:38.549{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761476B3FFD6B090F0DBD67D60854DDC,SHA256=015D8E6423AE15C240457758C064DE7B932C29D50A2660C4D68072E3DEA05960,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:36.030{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50179-false10.0.1.12-8000- 23542300x800000000000000054561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:38.073{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09336C59FB720E2658B74B0DA6E116BB,SHA256=F5D03D6D1221E7442F00E4C8EDA11AE4F55CB9303F6D3A27950B9365CC4D124E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037482Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:39.612{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178FA45A30940F292D8519AAB30FC9B,SHA256=2CD0278505922D392B079852904A6DBEE903EA556A2091A175269B0E9384EFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:39.120{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE761B0328FB1AE4A28B8CE037D5267F,SHA256=E22950C530856CBEEADBD3824C4B3933B695550982FE3EDB8A3B3ED0B7239225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037484Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:40.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AB08AAE32EE41DE2DF2D09CD672B38,SHA256=BE7B972E0DCE5C4D35DC5F7295750657C7EF89D63CFBCEA9A0D1A2DE9DAE22AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:40.151{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DC6FFEE54201CBA563E9B7F0FFCA9E,SHA256=3BB8249AE986EC92DEAC0CDD09C395D59F6923F02C230B75E2A4F2C77960315D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037483Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:37.559{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037485Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:41.659{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A51E3EA7BDE4404E79679B52ECE4AC,SHA256=DFBF0E752056BD2A4AC2E9F4823966C31FA444CB4BA1A8B18C836D8F2B535D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:41.167{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BDD4691A8189CD4D4D16B157B76CF5,SHA256=839284B861CC3F2D5AD8772E1CFE13ACA2473A11C0C262DB414E722B21E4A2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037486Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:42.721{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B37AF10936B06DCFD9EBA0840694E36,SHA256=65605CBEDCFC3C0F7129DB96EADA4ED7AA2AAEC8F4299C88171D1FA9B7DEA3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:42.183{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6041ECCBBCCB43D2A3F14D6507A779,SHA256=275299FF263371CA3F9A69FEE478B75DFB2804CBA6466CB30A3DCB05AB8C625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037487Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:43.737{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CECE12FAA80D6C0FDCEF4F79CBE9855,SHA256=5981BDD8483F30647B350D4AB39C46BBA2F45239DE62C5AE121347C2DC421276,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:41.967{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50180-false10.0.1.12-8000- 23542300x800000000000000054567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:43.198{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5014687AFB31969611DF0F1A0A8B9A7,SHA256=CDC96A74FA491B707D4BBACCF4F22E57907A27C448AF6AE23507609551A8A7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037489Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:44.752{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81EDDCBEA1A172DB6BCC8BC0990102,SHA256=6B27339B76F63C6AB6C6B780249FECC13AAAC61A933100C729F38A0C4FA66010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:44.214{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC5A050DCE402D3B17B9F0E68C51FE1,SHA256=FA32924DB0D36A00170489F4A9739336B0C444515B0DC121A86CE3316AA39C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037488Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:42.559{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037490Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:45.768{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D5DA159EA9C90B7B324190EF705756,SHA256=0EB51B7A728096DBFF94B7F7150A3F019B3218B12CB1D3586D079E4F631ED714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:45.229{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1565FBC2D1CC33E1314D2E8CE8FA89A,SHA256=FFFC411DF198C785C2446B8FE7D9B6E0A5CCEEBDE915866DC2746E02A0BDA7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037491Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:46.784{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB4256393E3D0A7767A8207327C3F1B,SHA256=E555A8D197388C810F7A10F7E94759937776F72FE24A1D4CF41F31E05336005E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:46.292{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F04FA0591F580EA4DFA406FCC2C39A,SHA256=BDDD5C3DCC5530855187F8F3E69B69B6671F71CF481E20B1DE02CAED6C808E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037492Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:47.799{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F913787FDD809442DDB7867BA9160022,SHA256=BF1529C43EB26079AD7981ACC5EE5D7B00A78AAAFB239EDAA600404525B09C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:47.323{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A1327581CF69F23015B0D9CABCB4AD,SHA256=CBF0739662CA1C58019E262B747BF326CFB268ED2BFA7515E742CF45021DF208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037493Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:48.840{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B8AF13C2D13F924C8D417CA61BAF0C,SHA256=333A60494FA01B9E8108D0F8607E8927170B2EB9E7BD9893A704EC5C3D098EA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:47.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50181-false10.0.1.12-8000- 23542300x800000000000000054573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:48.370{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77FF8D0D332B9A6179407BB869AE9F6,SHA256=F52D68216E7D61A909DB994FDC5DF98F93FF4EED63AC5A25E4259F985471BC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037494Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:49.918{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993C098A960B6D2801664146B72F9EBC,SHA256=8954E17EDF7EEA79A235DB3C2FD213DBB8D2A532DBA4639676D4759CBC42473D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:49.440{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F095827C8F32DEF313365E6B81540B3D,SHA256=40D80B0C0A7136A594BF6FDF1CF3397B95297B9B967D1BF3BD171491BDAF4D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037496Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:50.934{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388A53DA3A9C6125A0AE492BF7FC4DC6,SHA256=C33EAA1DAB58D97A8DFB11F936E9B2F2F829EF1DE0C7DD0AADB77E4B39391668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:50.472{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540727FBFFB82360AD1A026DDAAC54BC,SHA256=F9E8C297ED408A745270216F2F0AE6D60C654C76145568E1229B788022C3C608,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037495Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:47.605{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037497Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:51.965{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71181B5518CEF7ACFDAFE588F97E1351,SHA256=E69BEAB41A7B2F30DF8551D2CA6130D5DE6ADB5232F98F8F2B8F208E37529887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:51.519{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B6F8CD508FE76DE211C83A4EFE1AE3,SHA256=9089AB727A53A23DCA5327DB585DA44FB56401D902CCFF52CE6D0AD3938AB0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037499Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:52.981{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF36E8DDC279838FAABB91E3116A5DB9,SHA256=EA79F026AD191F62AB16316FFF91CE5BFB30CE2D88EF3D1854EF159828BBA448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:52.550{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CAF678833F2E6241695353322E3E0D,SHA256=B00C474B9747CBB4C5F9A4248303727645843821947FA39A3194DF7C0D282B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037498Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:52.262{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=930E7FCB6BBAB00CAA8D2CC0371D7262,SHA256=F2C3F50F2B13BDC28F07BA039E72F95D33A7A37160D392E9DC1579D3D3B1AAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:53.565{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EF05920FAA71155BC4A340F74B09E2,SHA256=2524E370C37D31822A06F93E93D778FDF770A0B7A1F7D00F963B203E250EA5BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037512Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:53.965{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037511Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:53.965{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037510Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:53.965{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBA-616D-1600-000000000502}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000037509Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000037508Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00946adf) 13241300x800000000000000037507Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c423-0x88b089c2) 13241300x800000000000000037506Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42b-0xea74f1c2) 13241300x800000000000000037505Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c434-0x4c3959c2) 13241300x800000000000000037504Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000037503Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00946adf) 13241300x800000000000000037502Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c423-0x88b089c2) 13241300x800000000000000037501Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42b-0xea74f1c2) 13241300x800000000000000037500Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-SetValue2021-10-18 14:24:53.496{6F8252D3-5DB9-616D-0B00-000000000502}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c434-0x4c3959c2) 13241300x800000000000000054584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:24:54.847{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\60E60F09-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_60E60F09-0000-0000-0000-100000000000.XML 13241300x800000000000000054583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:24:54.831{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Config SourceDWORD (0x00000001) 13241300x800000000000000054582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:24:54.831{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B282E4C4-BB5A-46C5-9F10-A3714310BED4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B282E4C4-BB5A-46C5-9F10-A3714310BED4.XML 354300x800000000000000054581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:52.913{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50182-false10.0.1.12-8000- 23542300x800000000000000054580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.565{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3A859DF3B5E9375935E98882F05170,SHA256=6A49A4CEE93F2BB41E1B8CE13954920DAF011149AA228ADD0EAC77BA6B00D78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037514Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:54.565{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-157MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037513Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:53.996{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0B334D4684F2B4F23E501F8D455E50,SHA256=D46B77391C4E3E0DE010ABAD7A105C85B75BBBC6D301ADFDBD4110BFACD61771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:55.862{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9BCC9A559D3F052E027F18E620FCC89,SHA256=FF18D295A0E2909E0D8C38DDDA99942801FABE9118D6771A0F4C4D1D7305A103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:55.862{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC97E01FCE68D7EC7A462E3197BBADF,SHA256=6416D0F94B3078CABD4375ADF165A795ABA49BAAEB0185F010D8DA3A8A131988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:55.597{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420EC20095EE8B221537DFE9DD7E62D5,SHA256=8D23867D38927E27108FCF691BAD92B4045353E60B3376494441BD8D77DB7B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037517Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:53.586{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037516Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:55.564{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037515Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:55.016{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64420E820395D04C68F05BE5D29C3425,SHA256=9046E5CCCA21965E4457534CDDF9D311C5C554CA1CBA4F81447C0A3CD20C341F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.702{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50185-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000054593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.702{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50185-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000054592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.694{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50184-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000054591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.694{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50184-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000054590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.679{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50183-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000054589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:54.679{8D4DD44E-5BB9-616D-2E00-000000000402}3060C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50183-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000054588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:56.612{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C483D9AF426FE1010F583ABF3A810AD,SHA256=A5F5A65440EC052709375300BCDCCECD5E016A327D4E26789E1C6802EE5E0B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037518Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:56.077{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4B77C4921B06AED928F3CFA695E601,SHA256=3A3960C07632D9F93755B98D2B1AE1097B894744627E665E93751323B7AC3962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.628{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06EE2744F9D108F34C8177F0AF0BEF3,SHA256=47B438559607250076FAF9A5963231B79F11D499B608829C584ADB2023C2FBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037519Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:57.093{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814B148968F69D99DB2273ECDCA1C870,SHA256=0E8339ABC6265F675BB3541664E3FEEFC8F9D825673947F5B56AC1AFD43674D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.519{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.519{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.519{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.503{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.503{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.503{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:57.503{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.644{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975BD89E9315ECC8AE8E14189E9C3741,SHA256=FB7B766811C5DDD996063A4805BD86463D348F72F4E57AF9B82D5FC41C71C4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037520Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:58.140{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81455483905886B86D127ADA3FCF2F,SHA256=8CF9CFCA17690C90172708DFEFCFF7BAD82A69EA37E29AF0789BAD7B701AD847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48002596C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.628{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:59.659{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C790406E02DACF6D44A8FA361D47A99,SHA256=221A73621701C87AACBEECBB70A1B22F85F908466E5ABA17D832F1944478C2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037521Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:59.155{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184788A002E821CE68DF3046AFCBB06E,SHA256=3F60EB704D230BBC67008371F51756441E6BD3973E686677FB2471BE9F76354E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:24:58.897{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50186-false10.0.1.12-8000- 23542300x800000000000000054612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:00.690{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20F398974888B1E9C73136843DA6740,SHA256=3B59849DE3F01679873F86777C46C62804A2AE45FC5BADD2EA034393AA59A7A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037523Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:24:58.633{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037522Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:00.171{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8643C20EF365F309FF33AF226DD27CCF,SHA256=B318C816C390EBC1FFA13853BF2B73D69FD2953E596240D2BDC9B56763313048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:01.722{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FD11CC2CC4B159B524F0F1F1B28DD5,SHA256=38A04665A651631586A90C0E89BBAAB8DF6D950798231801C6A69CF220968419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037524Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:01.187{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78CB2BB9CD86BCCC4D4D9FCAED60AEE,SHA256=C8678C650C5222BC7D2BBDDFA88A71A15889E2F38CA8448E979E15E0E8F92B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:02.753{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9A00CDA503FB6727AC13CE82691A84,SHA256=ED62A03886703A4F31460E3FD821F42B0E55D01810C6E1D13B6267C21DE66C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037525Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:02.312{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3B642AA4B74113EE73D7D860A84536,SHA256=74BDFAE81C8951408C4B4D43D127DE275E3B07D794C208B6E64D5981F5FC6A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:03.769{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078803605A2B38AE8F21C33049F4AC5,SHA256=7960831F7B56FC5A03EB572248A43E5300566A8E4B6D3A80D96BBC24754BA7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037526Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:03.327{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFACAB9A365F41C9555B3E7C81EF5570,SHA256=EDB200A0E7F9E521C0C90305DE1346DEB19AC08D6E1DD43D293FCD6F83A17460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:03.065{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AADA4C27F362C3DC5C70C300068461C5,SHA256=3164958DC5F455731442C4199A745E0D940EE843148C0BC412A2ACC28E705B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:04.784{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8920F4F4D93D582955CC9E1B1A295DBF,SHA256=E834CC8513F80A6D04304BD06DA1677202529DC65C4E9D7893BFC76971A1AAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037527Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:04.390{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FDFDD0C596A210AD76CDD9F012AD19,SHA256=648FB5238D82F65E516E4C04DC0155C4B5F7AF7B9504CF35273D402FA1BAF1C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C1-616D-BB0A-000000000402}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-83C1-616D-BB0A-000000000402}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.987{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C1-616D-BB0A-000000000402}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.988{8D4DD44E-83C1-616D-BB0A-000000000402}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:05.847{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0354EB583CDD025CD886BBF7702EEA9D,SHA256=0387CE5A21F256A03A32F3273B552BEB5B49323C882356DF1F9C47376337AA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037528Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:05.421{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0B0E4009A762A5CA624F98D58BA5F6,SHA256=6D305349960C9B9D0FDBA4CA3B598EA503B465D58D45CD620F18F1E1B441FCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.987{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD1D0B0B619C69227F7D0A833BD9C80,SHA256=9F6DFB15EB52E10D65D2DB87AD95A4A0DE0D3A16BFC7077F9DC1F5FEDD8FE52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.987{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9BCC9A559D3F052E027F18E620FCC89,SHA256=FF18D295A0E2909E0D8C38DDDA99942801FABE9118D6771A0F4C4D1D7305A103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.862{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB78DC657B08FC767D047EBC7B74C1C3,SHA256=E3A090A55F3FA70EC8FE1BC05CF0EF552B0F593082B262EA5B81B458F8841E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037529Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:06.515{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1E6B552AA19B82991A1E7EC2E7C35B,SHA256=61F7CE74DF4E5D6217B6C683CEC97027F722E73DD9207B0FF31A8B7F044ACA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C2-616D-BC0A-000000000402}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-83C2-616D-BC0A-000000000402}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.487{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C2-616D-BC0A-000000000402}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:06.488{8D4DD44E-83C2-616D-BC0A-000000000402}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:04.100{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50187-false10.0.1.12-8000- 23542300x800000000000000054658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.878{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EC7452895B9DC99E691D1DA7B5FF45,SHA256=FBC649F8BA1E2391C4CFC4B84BFD4AFAF689E28486B9349EFBD160F6FEE7E899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037531Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:07.562{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6B531A5F4229F7CEC13C21883E2CFC,SHA256=2799C72FDF0481D90E4678B8069055A221B2390FFA8DD5DDBA557277A29C423C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.847{8D4DD44E-83C3-616D-BE0A-000000000402}25286268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C3-616D-BE0A-000000000402}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-83C3-616D-BE0A-000000000402}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.706{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C3-616D-BE0A-000000000402}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.707{8D4DD44E-83C3-616D-BE0A-000000000402}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.159{8D4DD44E-83C3-616D-BD0A-000000000402}69724116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C3-616D-BD0A-000000000402}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-83C3-616D-BD0A-000000000402}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.003{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C3-616D-BD0A-000000000402}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:07.004{8D4DD44E-83C3-616D-BD0A-000000000402}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037530Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:04.680{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51688-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.881{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0B07FA749DA0759E7FDCC125DD31EE,SHA256=237294FA4F2DB3FFF317D9CB891FDCA148BC6BEE177F22EAEC61CD883F6FCC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037532Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:08.577{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6507AE31A361C5EBBE954C2AC5AE72CC,SHA256=661371DB5F3C64CA0027EC9B4A221AE7BA5D00B87DE205B386F1EE0A0A5250E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.737{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.534{8D4DD44E-83C4-616D-BF0A-000000000402}69166912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C4-616D-BF0A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-83C4-616D-BF0A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.378{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C4-616D-BF0A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.379{8D4DD44E-83C4-616D-BF0A-000000000402}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.034{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD1D0B0B619C69227F7D0A833BD9C80,SHA256=9F6DFB15EB52E10D65D2DB87AD95A4A0DE0D3A16BFC7077F9DC1F5FEDD8FE52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.912{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BC418067029DE039B4068F519F0BA6,SHA256=25979C932E0CD6B5B72A1A30E4FA0FA5A1C6BB18AB7AEC4BECA69863D34CDB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037534Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:09.609{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFEF2E0F81051B58326BB6104AE4BE1,SHA256=DB0DB2277C3720A1556A5701B6A71729872E6FE0BB9BDAC15E9C4B6A7F39A135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.412{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99FC5AC3FB1659A1B93BBA130088F856,SHA256=70958DD6B6A65013FD3CF346F98E2650FBD49BAFF8CEF79D9CB3AA28D74E3C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.256{8D4DD44E-83C5-616D-C00A-000000000402}70366672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C5-616D-C00A-000000000402}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-83C5-616D-C00A-000000000402}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.053{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C5-616D-C00A-000000000402}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:09.054{8D4DD44E-83C5-616D-C00A-000000000402}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037533Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:09.515{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:10.928{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217E0A1AC4370F4AFD12A433BDF35836,SHA256=C6FFE2D636039250CA0A7D1A471B3012BB2D33016C02A3F2B702E86AAF54D0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037535Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:10.640{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF453307197FDEA37C778133B9DC4C8,SHA256=E6E31693829217F65A7A2B7818A70827F0AE8B8EE6914CD46C0FA4F61880ABC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:08.569{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50188-false10.0.1.12-8089- 23542300x800000000000000037537Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:11.656{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063D26E59B8F855E1F3FAE8334BD074B,SHA256=EBF324EC1E20AE7BB192CD83EDDF10DFBFDB9F8B5E0A6673D2DFEA34399DB788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.975{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A5855EA0EDC7B2079B4A932A2B2E58,SHA256=8AF91A872C1C39B3B174E34BAB1A76791A8AF0FA8853FA42199882BE21C6F857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83C7-616D-C10A-000000000402}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-83C7-616D-C10A-000000000402}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.709{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83C7-616D-C10A-000000000402}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:11.710{8D4DD44E-83C7-616D-C10A-000000000402}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037536Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:08.977{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51689-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000037539Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:12.874{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2E5D49AE854BC07FB6F47EAC974F93,SHA256=8D8A908CF665C3E26A5FC30A0A12D56E2A2E56B0A2850708769C050293477D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:12.990{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C2D4BF2D441A9CCB3E63BA2A139061,SHA256=E4325785CF0FB89A30825CBE7DB4CF9EE81282F3D485E326E697D96325C31F39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037538Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:09.711{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000054694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:12.725{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=635DD93B675FEE5EF8F0CA21EAC0E50F,SHA256=D9F745959D4ADE4894F72559DFD0C56335C3BF432D613A0A8EAC0EC1864FEC46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:10.025{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50189-false10.0.1.12-8000- 23542300x800000000000000037540Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:13.874{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628689E6425CB3EB017B3B296875DE95,SHA256=3B4211EF6CF612A3331F68D3AEF1D3B5161755B7BDD0D22ED77530BEDB9C6ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037541Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:14.890{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB0F9CBB3BF296776263FF782B1BD23,SHA256=104B17A6850DC8C03E7A80B39B0AF4BEC9D813C767AC83DB8EDD6D46C963EC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:14.115{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2465E27D0A31F89ABC2AC8E51BAADF,SHA256=54FC4495FAE3D9D4BFF69B0109CDDE8DAE7F5E737283AED52F90F3B48B1500A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037542Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:15.906{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8C33BB929E0B7E4EC331F6399452A3,SHA256=BA60230F1D0C2757DAFB28E0D9B8720AC42ADBCE1A45D4C1C4872E0D43D00230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:15.131{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA711149FE6D970A32CCB90D77CD52F,SHA256=943BA84C7CEB13901E4A55D344CFCAA3F96FF720ABB1208C93CEA0179A7503A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037543Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:16.921{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A4CC89B7626FE47B8897853BA5EDA2,SHA256=5EFA7B566052EE4F2474F14D31B3CDD5EE8A3383F68A418658F0C61FE8D60BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:16.162{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696B269600FD12FEC90FE969CA495338,SHA256=D66CFC046A7EA20E17EEF2D9823F13927316F2A3AE96E2C35F80AD050604B43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037545Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:17.937{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5602237C826CF2D4568B9F4BFCD9B628,SHA256=F6A09ED15D458A058DFBC55A56A9E3FB2D63714852643F7DADD09D95958FE073,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:15.962{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50190-false10.0.1.12-8000- 23542300x800000000000000054699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:17.178{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400FE85755D5F89EC90CFAF4BD2BB2B0,SHA256=0A2099CC99982BFD7A4F1E57EC5DF8558AC895E4F27E9AD40C275FA36F7A94D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037544Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:15.523{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51691-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037546Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:18.953{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CD3F134DD8ABE78B85F7E414AFA0C8,SHA256=3E80E019891E0DE72DE8FAC9D854F1D1F897C34E669FC7CA1484306F4DED231F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:18.194{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1CC61C26B2347A16D2CE0D4C5B9797,SHA256=598B3C071E24BBFF8D8FD076CD2D895711E8AF9152A76F1B37C30724C4AD1E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037547Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:19.968{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2712924CFB61075218AA840A2F17EC74,SHA256=A1591BDF88183E8D9382F0DEA3B1E6A0E4BEC18D68A87C55E7518C5D97650131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:19.209{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A536F3E17C7A224FE1DED0F5123BA0A3,SHA256=47D9813AFA8FD3EEEBB1FAC22ECA0D9554BA117B95A23992C55DE944B7B6D8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037548Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:20.984{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D250B1AD470D7F4AE0FAE25DF621D2D5,SHA256=3CE93B8F259FC0733698C6AE02388012DCC7402062703FE2CB44F20EBD0C9F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:20.225{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1F581F593BBF05EBBB17273DDFAEE0,SHA256=223732FAC50E6BCB1CA8187FE14C9D584EEE98557909B787C03C7CCA1EBBBBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:21.240{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4891406DC9A5686F3BFBF4B3575B63,SHA256=AAEA06EB48053E7320BD6A912BCD79599C2AACABCD9F07778DD0D846DB22EE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:22.256{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899B4959C8D7EA45EC10338F2BDAE12B,SHA256=C36C955A65A629AD6BD3A4E4A4A4A1B3E8B0AF402F98CDECA43B9F86C87889F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037550Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:20.586{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51692-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037549Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:22.000{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FE0BD1F3F91501AC84B076ECDBBD93,SHA256=F93F28A4EE21F630AF3C3903D05B4A07722C120F84F47F7113AC5E482F094604,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:21.947{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50191-false10.0.1.12-8000- 23542300x800000000000000054706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:23.287{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B766135E0B7B0C4A2E08164E334DB65,SHA256=BACD736CB5A426CCCC602DEDB7D3515B87C7787EEA0DED5EC8AEDFE188FD3C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037551Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:23.015{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C3A7BC84FEA31703AC69FD7AB23D5E,SHA256=8DDDE2DE1C36A93827058F7B753F52F6480202296FFC1E95D30A946F1838F32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:24.350{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F01256CC8794F73F01CEC07B8004817,SHA256=5629303958DB21FC98E89DFB899E3067C8C1CB9BDA69806C479F4E81D593FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037552Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:24.031{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3AB165ED31F53783B791E4E68A978E,SHA256=8750B5CC25A5281A96E19B1246CF5DA130AB92A3BCD860D82063888EB4C2B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:25.381{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC03A7B39CA013D4E4316983C8FD838,SHA256=FB429FC4B0FFDB2F04442CB26E513F3750222AB796590055D01AE8E65561F456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037553Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:25.046{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDC2EFD0A956A1B92E280ADBD98EE9B,SHA256=121398101BA71F2F6130DDF7035A574CD36D1C618897F62DFA690914559515B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037554Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:26.062{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC99A1E128FF53C11C7A68B8D1CF281E,SHA256=E8BAC46F63981294D0D91D9B0CBF11F3A9A56F350E8F323DDE60DAFE8E32435D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:26.397{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAF04CAB8D41A1AB504D24CA2DFE784,SHA256=0F203D27B04912BBD057F0F818592554C500C1874C13FA1643FF1D3DC849F849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:27.412{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8577F2291070022D4B40024546F26,SHA256=4B269A410BB1E6F5A4A41454616F67A579A7D3FEB0002D4AE1C13819B9692993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037555Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:27.078{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D234D8E0D9EDD3F2DF89A70E5B1F19B4,SHA256=C34DB8ABB6833F6177061DF8DC06ACB57B8A224FC26F638FD10F1CB09A750619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:28.412{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDA592073EB844F12A65AD9FD32B7CC,SHA256=1C051D57F549087F2510F667F5D48D99189213C783C4C45BEC8C34D22BE8FB05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037557Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:26.617{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037556Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:28.093{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46035FD22DDCD13D6B8D84358968EDDB,SHA256=81E28B2881B89D223F65ECDF5D2355F0668AC776DA086482B1D01A2FC4A1DAC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:27.962{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50192-false10.0.1.12-8000- 23542300x800000000000000054713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:29.416{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70427CB1B841B0611303AF02415BC4DC,SHA256=9DF75BC5725ED7E6CC60FC5EB96CC870EAC755F5703852ACDD1A9BC3E059B468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037558Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:29.096{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D2EFBA16099C55882D3C8D847B13F1,SHA256=EEFACFE4B9E02A6E3F16F079CD8DFB9BB5F6AB45980CAE1DE87EEE80FE7AFC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:30.462{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A760481CD0E2A3ECDFDABCE3EB3EA6,SHA256=7B463BBE61EC87568625A2ABDCB30592068ED7992169B50FF2DA9AF2978E52D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037572Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DA-616D-1708-000000000502}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037571Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037570Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037569Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037568Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037567Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037566Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037565Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037564Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037563Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037562Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-83DA-616D-1708-000000000502}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037561Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.784{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DA-616D-1708-000000000502}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037560Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.785{6F8252D3-83DA-616D-1708-000000000502}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037559Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:30.112{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668C0C5612D180971D7CD3CCA1076568,SHA256=70500881B80B38562A0F85A6D0307DC3DAB30F013AA640C9C9DD500DF6A45432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:31.556{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24636476CEFC9807B35510BBE9D0F360,SHA256=46991C8E3381CCD913FF9D5E4E46226EFE4A40C961AAE6029E507BC2EC064B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037602Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.940{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D8E2A001CD02A3D383E373B98EAB78,SHA256=FAE1652891D39E6E539BB122B37154559A0011AFC85525930426D9ED6AA48019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037601Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.940{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=313B2C1BC23FAAD962D271AE7CC7ADCB,SHA256=0E569C1D7911127D02D217FB57D871FF78239597D7515FEC37C53B3DF23B43DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037600Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DB-616D-1908-000000000502}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037599Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-83DB-616D-1908-000000000502}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037598Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037597Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037596Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037595Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037594Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037593Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037592Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037591Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037590Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037589Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.784{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DB-616D-1908-000000000502}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037588Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.785{6F8252D3-83DB-616D-1908-000000000502}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037587Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DB-616D-1808-000000000502}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037586Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037585Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037584Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037583Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037582Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037581Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037580Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037579Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037578Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037577Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-83DB-616D-1808-000000000502}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037576Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.284{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DB-616D-1808-000000000502}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037575Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.285{6F8252D3-83DB-616D-1808-000000000502}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037574Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.127{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4455B85D33257BECF240ECB44E339A4D,SHA256=C2D90F2E86AC137FB5F0A07ED071D12D670EDE1BA06D4BDD1DD3BCF360C68DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037573Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:31.002{6F8252D3-83DA-616D-1708-000000000502}35522912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037603Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:32.284{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DA29250D35484C654FD184DF0FD17E,SHA256=D48446C6043A552169E962B5B9AF4A93B76EEB6A9B810D4CF6BF48D39B8A84DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:32.587{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A393D364FFD86EA3F6E241A86396FDC,SHA256=C732E7C65CC1C39B70BA3442E968C358016DF8B40704CD80E421BC8FB2E31265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:33.587{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF9325952CA74BD581D34893AA4B627,SHA256=145CABF25656B9F93502C7302298AE63DB642BB722528BE5284914FA26C14DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:33.587{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF5EB65D0E99EBD3CECD566686C4FC6,SHA256=E1FA8603682047EF9F14F15F57C2342AFEEFCEB7E4566394880588E0B76DEDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:33.587{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1150CA37F2E6FBDAEE05338BE1F8D1,SHA256=F4E810BB1DC92614AEA3964D818371998EC572F707C329FE97BD32AD57431CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037618Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.502{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E49B1C50344712F92EC801C2B8B9E,SHA256=E689ABB869FDB7F136AE86DE5BB0F4A093E056EF9D202B1EABF7C5AA7490F9C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037617Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.299{6F8252D3-83DD-616D-1A08-000000000502}28801876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037616Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DD-616D-1A08-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037615Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037614Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037613Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037612Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037611Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037610Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037609Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037608Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037607Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037606Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-83DD-616D-1A08-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037605Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.096{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DD-616D-1A08-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037604Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:33.097{6F8252D3-83DD-616D-1A08-000000000502}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000054724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:32.434{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50193-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000054723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:32.434{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50193-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000054722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:34.636{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331D513BA49C7B5702DF6ECA68F1FDAC,SHA256=BA218631611925EF2B9671DADAD0DC23296B873304F968A6C66E2FCA4C8E757B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037647Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:32.635{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51694-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000037646Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DE-616D-1C08-000000000502}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037645Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037644Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037643Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037642Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037641Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037640Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037639Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037638Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037637Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037636Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-83DE-616D-1C08-000000000502}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037635Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.877{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DE-616D-1C08-000000000502}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037634Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.878{6F8252D3-83DE-616D-1C08-000000000502}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037633Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.518{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F9049568E4E2D95CDFEC85D4B74DF2,SHA256=DFE9CC216D386194661FF1B7D7C6CC3FBB306DC73C15DD6CEB2F3F0B303D1F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:34.452{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-166MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037632Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DE-616D-1B08-000000000502}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037631Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037630Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037629Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037628Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037627Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037626Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037625Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037624Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037623Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037622Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-83DE-616D-1B08-000000000502}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037621Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.205{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DE-616D-1B08-000000000502}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037620Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.206{6F8252D3-83DE-616D-1B08-000000000502}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037619Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:34.174{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D8E2A001CD02A3D383E373B98EAB78,SHA256=FAE1652891D39E6E539BB122B37154559A0011AFC85525930426D9ED6AA48019,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:33.890{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50194-false10.0.1.12-8000- 23542300x800000000000000054726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:35.650{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96784288F11045CC155458AF40C6381,SHA256=61219C668397A3AED0FF533B784B50F58FDF3925DBA2F6C844FD6A42449A3117,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037664Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.705{6F8252D3-83DF-616D-1D08-000000000502}39443184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037663Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D5C75476D776F1346FEF376A600D1E,SHA256=4058011D44F0B8930EEBF1980D84C0C75F258FD2E4AB361226839C58F6F1607B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037662Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-83DF-616D-1D08-000000000502}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037661Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037660Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037659Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037658Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037657Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037656Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037655Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037654Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037653Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-83DF-616D-1D08-000000000502}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037652Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037651Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.549{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-83DF-616D-1D08-000000000502}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037650Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.550{6F8252D3-83DF-616D-1D08-000000000502}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:35.465{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037649Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.252{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D386416C29D9524AB863551452490C,SHA256=E6BFDFE0EA0B24B5E20617749DA6954C6F7B50B76A2F1B2590CF8579E9576A65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037648Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:35.065{6F8252D3-83DE-616D-1C08-000000000502}3881328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037666Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:36.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AD1CA577B17CDEDEAE1E30A0271738,SHA256=51871B016AED62749192CD941E21D22D787CC61825304DE21B301AA9C4297056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:36.653{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505C5A3DD2B1323B57A171DBDE09205B,SHA256=D45431D226B525AFD34AE11C649FF0AF02F7BC6128E6B6FC281F7E7202260DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037665Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:36.565{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=139CE97A2AAB8BB0CFC8D5501D6EA4D6,SHA256=2F28305255EFBDC0ED11DDE6CF1D5781E19FE59D61FC5924DABC1A2EC742C02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037667Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:37.596{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2301006EE8DE0C2777DAF2D7809D5CCF,SHA256=D79A6C597C35F8099DD8F70C293F060CD71104CC423F73A13FA0E56D3CD15E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:37.669{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52422DA1A8F560AE9CDF27B30228ACA,SHA256=F42BAAC6EE06938EE8F38E0A0AC2480254847C95E442BB156C8DAA39CDBB156A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:38.684{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F9B40E0A705C011C6622591475C92,SHA256=ED069F4C0C71E2D64123E1C0DD693225D1BB6E250CE448B353B915ADA0F202F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037668Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:38.627{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E234FD41F8082A3F2D402BB866C14A0,SHA256=B0DFF2061D702F5D5373399DCFC0169B1D5B49D2F6C2AD44F0F18C6CE2D0F660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:39.700{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F82ACA654FA15EBF569A9E446AF3CB,SHA256=AFEBCBBAA3A45589453E1D7525A7CDED5E0FA64B2C0DE32F6067DF295B9A12C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037669Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:39.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C613A6BE8D0A6F2D2A95473AF41970,SHA256=C8669B14D41021E5B95FFAB2D9EE523AC8AEA02B304C06D091DDADACEF44B7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037670Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:40.737{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79126367AB3805838876F683A3FAD074,SHA256=2E79D3ABEC9E4F2F50059FBC41CC5DC7D95851C57792E593D3FAC476BF14E6C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.809{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000054762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.809{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000054761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.809{8D4DD44E-79A3-616D-3609-000000000402}48005936C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.809{8D4DD44E-79A3-616D-3609-000000000402}48005936C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000054758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000054757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000054756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000054755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A3-616D-3609-000000000402}4800912C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A3-616D-3609-000000000402}4800912C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000054752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000054751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.778{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA9-616D-0D00-000000000402}9045156C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA9-616D-0D00-000000000402}9045156C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA9-616D-0D00-000000000402}9045156C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA9-616D-0D00-000000000402}9045156C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA9-616D-0D00-000000000402}9045156C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA9-616D-0D00-000000000402}9045156C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-79A3-616D-3609-000000000402}48005452C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.762{8D4DD44E-79A3-616D-3609-000000000402}48005452C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:40.716{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9CA82CD6EAC6FCF5BB79013EC64DB5F,SHA256=B35E05E45B1F835308722D13E68659E5CC4533629C68B58F2BE1938CF54213BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037672Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:41.799{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54E30E7969CAE096460A7477E214384,SHA256=C27805969DFB4F08D68FF44EF70AF29607058F4DFC67C1C0523DB5092D99ED4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.794{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8373C4AC611FEC71F35DCF28CF9085C,SHA256=7AF7BAD8D1BA5DEC1821CD0C68C23C5C58F9171E295AD78486A9BA1EB22B1F4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000054778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000054777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48004536C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48004536C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48006248C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48006248C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.747{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.731{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.731{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.731{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:41.731{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000037671Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:38.635{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000054764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:38.937{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50195-false10.0.1.12-8000- 23542300x800000000000000037673Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:42.846{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6C7FC5D88DDDAC04B4CDC8737910FF,SHA256=52006BE3849DF21F48E463E4FD3E6FCECE805B05158EE760D23A2F12BEC1F90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:42.825{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6AA69EE5B5F250F390DFD27EF039F8,SHA256=0345A456F0B657EAF374C5D081D5787DE066B413AAA24459F65746EEF62FA306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037674Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:43.893{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BFC8C02678DE576FB3C62BB0E780A8,SHA256=8FFB28EA8BE02EE3AEF7916590364C39998CB4E08C750BFD32A1EF384301B2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.826{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC20E59A01CFCF1D423801BBFB42E02E,SHA256=A51238C94948B5136291DB267A3EC7C1476E5E14980B126F3ACE5CAAF6CF4921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:43.059{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.841{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786E74F6B61E527C511750E8787148BE,SHA256=DC0826360396F1255816BCA2DE8454EE56D64526D7DAE8BC9766609C9A01A806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037675Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:44.909{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31183B5E4523BB2B4B1CEB5559370105,SHA256=5A6CF232E18FC7D0E4273F8C4282F09954BDD73E86DC2AA13814D3F462D08605,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004076C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.637{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-821F-616D-750A-000000000402}3004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037676Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:45.924{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C365F919C36451D39544673B6FECC2,SHA256=2183BD154B2200D9A196B0793ECC86CDF57D7D69E97794CA651A71D178FEEB09,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:44.111{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50196-false10.0.1.12-8000- 23542300x800000000000000054798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:45.887{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E2DBE0BAC07A619165EBA6112A4D08,SHA256=758DC11DFA7D6D9087B48379259DC087054828AA271ACFA7CE6A1EF1CCED5580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037678Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:46.940{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCF6B8185FF8937C6DDDA1C903AD9DB,SHA256=F21B4F3F843168FD95FC5ED53BC64B0FA40B6ABB62BD0B8D8DA30B82C041E007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:46.888{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB99C661D91DA596CD16584EB1ADFAF,SHA256=E3DC0616FE2D9F95CABDC6C1B0506382DB8B4AE43AE2AE9805B88B7729F38FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037677Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:43.666{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000054803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:46.294{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:46.294{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:46.294{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:46.294{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000037679Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:47.971{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B270DD25A5B8D683A15DE79C819FF4F9,SHA256=E2D23F732BA98769ADC051B8F4096C9D132625B77BF5C5BEA458A549546C4FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054922Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.934{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0057F6DCC448550E14CF7B87FAEEA641,SHA256=51D9B081898CBCEB9E116168736C7A4B38C25E14D9503D957CA8875BCDC47C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054921Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.653{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F88532B8AEB7537AC771D8A7E3656F1,SHA256=46E04F74636F7B37810127F3AA67E6017010DD3FDD9EF31EF993780C3B43C43F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000054920Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.637{8D4DD44E-83EB-616D-CD0A-000000000402}2208C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePusDWORD (0x00000000) 10341000x800000000000000054919Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.637{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-CD0A-000000000402}2208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054918Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054917Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054916Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054915Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054914Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-CD0A-000000000402}2208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054913Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-CD0A-000000000402}2208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054912Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.636{8D4DD44E-83EB-616D-CD0A-000000000402}2208C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054911Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.622{8D4DD44E-83EB-616D-CC0A-000000000402}3988C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirusDWORD (0x00000001) 23542300x800000000000000054910Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.622{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627944F5D9E037EF04716285FDB332C6,SHA256=FA51AE8F8B92B1BDA7E9EBFA4FB11C8B662928B2E6646BEA370DC53B1A587D1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054909Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-CC0A-000000000402}3988C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054908Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054907Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054906Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054905Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054904Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-CC0A-000000000402}3988C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054903Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.606{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-CC0A-000000000402}3988C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054902Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.614{8D4DD44E-83EB-616D-CC0A-000000000402}3988C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000054901Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.591{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-CB0A-000000000402}2348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054900Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.575{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054899Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.575{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054898Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.575{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.575{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.575{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-CB0A-000000000402}2348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.575{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-CB0A-000000000402}2348C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.585{8D4DD44E-83EB-616D-CB0A-000000000402}2348C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000054893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-CA0A-000000000402}5968C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-CA0A-000000000402}5968C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.559{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-CA0A-000000000402}5968C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.564{8D4DD44E-83EB-616D-CA0A-000000000402}5968C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054885Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.544{8D4DD44E-83EB-616D-C90A-000000000402}2480C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsentDWORD (0x00000000) 10341000x800000000000000054884Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.544{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C90A-000000000402}2480C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054883Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.544{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054882Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.544{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054881Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.544{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054880Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.529{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054879Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.529{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C90A-000000000402}2480C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054878Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.529{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C90A-000000000402}2480C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054877Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.543{8D4DD44E-83EB-616D-C90A-000000000402}2480C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054876Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.529{8D4DD44E-83EB-616D-C80A-000000000402}1700C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReportingDWORD (0x00000000) 10341000x800000000000000054875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.512{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C80A-000000000402}1700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.512{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.512{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.512{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.497{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.497{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C80A-000000000402}1700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.497{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C80A-000000000402}1700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.501{8D4DD44E-83EB-616D-C80A-000000000402}1700C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.497{8D4DD44E-83EB-616D-C70A-000000000402}5556C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeenDWORD (0x00000001) 10341000x800000000000000054866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.481{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C70A-000000000402}5556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.466{8D4DD44E-799F-616D-2309-000000000402}37683632C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C70A-000000000402}5556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.466{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.466{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.466{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.466{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.466{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C70A-000000000402}5556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.477{8D4DD44E-83EB-616D-C70A-000000000402}5556C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.326{00000000-0000-0000-0000-000000000000}5568C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotificationsDWORD (0x00000001) 10341000x800000000000000054857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C60A-000000000402}5568C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C60A-000000000402}5568C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C60A-000000000402}5568C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.326{8D4DD44E-83EB-616D-C60A-000000000402}5568C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.295{8D4DD44E-83EB-616D-C50A-000000000402}5572C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsentDWORD (0x00000000) 10341000x800000000000000054848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.280{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C50A-000000000402}5572C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.280{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.280{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.280{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.280{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-799F-616D-2309-000000000402}37684020C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C50A-000000000402}5572C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C50A-000000000402}5572C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.279{8D4DD44E-83EB-616D-C50A-000000000402}5572C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.263{8D4DD44E-83EB-616D-C40A-000000000402}4492C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReportingDWORD (0x00000000) 10341000x800000000000000054839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C40A-000000000402}4492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C40A-000000000402}4492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.263{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C40A-000000000402}4492C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.262{8D4DD44E-83EB-616D-C40A-000000000402}4492C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.248{8D4DD44E-83EB-616D-C30A-000000000402}6364C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeenDWORD (0x00000001) 10341000x800000000000000054830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C30A-000000000402}6364C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C30A-000000000402}6364C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.216{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C30A-000000000402}6364C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.224{8D4DD44E-83EB-616D-C30A-000000000402}6364C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000054822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.localT1089,Tamper-DefenderSetValue2021-10-18 14:25:47.200{8D4DD44E-83EB-616D-C20A-000000000402}5992C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotificationsDWORD (0x00000001) 10341000x800000000000000054821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.200{8D4DD44E-821F-616D-750A-000000000402}30045552C:\Windows\system32\conhost.exe{8D4DD44E-83EB-616D-C20A-000000000402}5992C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.184{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.184{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.184{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.184{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.184{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-83EB-616D-C20A-000000000402}5992C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.184{8D4DD44E-821F-616D-740A-000000000402}64446568C:\Windows\system32\cmd.exe{8D4DD44E-83EB-616D-C20A-000000000402}5992C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.196{8D4DD44E-83EB-616D-C20A-000000000402}5992C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fC:\Temp\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{8D4DD44E-821F-616D-740A-000000000402}6444C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000054813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.091{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.091{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.091{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.091{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.091{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.091{8D4DD44E-79A2-616D-2C09-000000000402}19325356C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000054805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:47.044{8D4DD44E-5BA8-616D-0C00-000000000402}8486596C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000054925Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:48.982{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FF5618755943052AD940E01CA637FE,SHA256=84847B0DD4AF48F9CD86EA9ECFF568A741BB580E9DDF7220478A7711550D18A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054924Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:48.262{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADCAE9B5E312A1CA3E0E7ABECBEC7FAE,SHA256=1CFF8C6214D396D8106F87C3A7F9023DB56AF2107343EC902B290A4CAB3BCC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054923Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:48.262{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF9325952CA74BD581D34893AA4B627,SHA256=145CABF25656B9F93502C7302298AE63DB642BB722528BE5284914FA26C14DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037680Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:49.100{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67EEA5D526C5A4D596B38D580B83DC,SHA256=761F46935A3033BD4F9449EC31C5619E66EA3BF716094A716394A1A15258D763,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054926Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:49.185{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000054927Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:49.998{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14990FFD5B6735995A43D4A42E759F6E,SHA256=0BD2DE1455F1B7E62887071CEDA441488BCFC6B60DF972239075E2D6A1CA6EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037681Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:50.116{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955C54BD688C514C0C41D0EB5CDEF4B5,SHA256=402BABD8AFAAD2C3144D921DF20AFFBA2A75CD8FF952B519AE99E2A687FFF311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054928Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:51.014{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF840C24E98A92C7D3BF10F9A21F3FB,SHA256=E3EAFB471288169979ABED54DCEFE61DEA5CB550EC9DD030812C12D673CA1FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037682Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:51.163{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0211B871FB0D4578D751CF7ACC93940,SHA256=C5F85828B29BE5FB43222338504D0D057DC6E7C2B21C02DCFC02E4B6524A1575,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037685Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:49.530{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037684Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:52.272{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49BE297C69E004DF8C2F7F1E5CF1145B,SHA256=9F2F54B2471A0A70F478E356AC2BE63AC53CE75F566CDFEDEF4519293FBF9C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037683Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:52.194{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C3B09FBF8DF80B2AC899BA29A5CCBE,SHA256=861D4A31C6C7A8758BD4B38904C0CB7B86EB42839BB639E669D988B059FE6F57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054930Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:50.065{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50197-false10.0.1.12-8000- 23542300x800000000000000054929Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:52.014{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776F881DF1DD7F03E558E039874DA4A8,SHA256=51CF3FA543F9909814D5F40093D4CC82EF0C1F7D460AB0D6CE29001414060C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037686Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:53.210{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F144D33F4A0C04D9C3C368AD1D5B09,SHA256=E834A4823571D98F6A7EC7C456465524B9CC8E9954DA39927F3A3CBA7548F98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054931Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:53.029{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2BE65E2F42234A95FA5E8970FC23C7,SHA256=5FD856FA585B2BAD64D5CE9D9170112A71E50DB252337A588BB7E7988F18D539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037687Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:54.225{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC279A740279D83C97B259F846B58F6,SHA256=66CE01943202CBE12336B71B9459271D4588814A213737C82943751C12AD68DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054932Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:54.060{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD20BFB3304DCB513C5EAD56ABF9A3F7,SHA256=B7DC877748E7DBE9E8F0B0ECCABAE468875553EA79BF92FC84EEB09F54A16361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054933Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:55.123{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E83971176396547B81D14D0C22A34EE,SHA256=6E256B4AAEB74CAA0B3D6C7377DBCAB1EA11815D9B30AE36C18DD702F96D4015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037688Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:55.241{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508B0C82DFD76DF1010208F0269C9377,SHA256=D26E40D8A8B1D0083669A534C91A7B9F4EFFED238A2BE4CF65B66FFD128ED912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054934Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:56.139{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4CD52B95534C4CBD3754F35A664197,SHA256=7F521A8CC7E779283ADD4ACF6B15957FE3574D17E75D23EEA89A1BFA06DEB75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037690Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:56.321{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5754FCCA6E0E60827FC76BAACDFE75,SHA256=F586D4DDEC6F23BBA99095B6E37C500981B6408EF2487DA58240FDCB22B92962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037689Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:56.089{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-158MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037693Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:54.655{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51698-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037692Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:57.350{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DE1F1BD2E77978673A94C96376B3CE,SHA256=45787DE49371B9773A4B1ADC6A4A0F1A036B6F32CE0D51C6430656A0861D2C35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054936Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:55.079{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50198-false10.0.1.12-8000- 23542300x800000000000000054935Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:57.154{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828D55271DE84692551FE33030669A6B,SHA256=E29EA5FEAF0DF6FB14F1A73A75C36034953341B3DF50077C69FCE0489CA08EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037691Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:57.088{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037694Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:58.367{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC7F7BBE5051BB411C5E299F7D6A5DD,SHA256=EA7E231714BD4F5931F4A3ACFB4DFC74A2AD7DB4D7551E644ED075344B821398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054937Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:58.170{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25910C9899F62EF06387AB0A94750909,SHA256=4DEAD5920C02F25D341920137538A7007E9C61D1F669CFBDA0D651ABEB5938E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037695Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:25:59.383{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEAAB918F9E16E444106DF4C1C7D8DC,SHA256=592F448B366FDF0F4462A31E256BF1D5479F8BBD28BFA50FDD0DB3AD13FA08B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054938Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:25:59.201{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF126471548A43FAAAC8080724271A6,SHA256=AA9487D33AB4D55AC319144B3F5B658B74CF0FA13AC6481E791D62F60468F925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054939Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:00.217{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A8A369DC55DA2B772010EA92B07529,SHA256=56524B9F461CF058E2FD4EE1C666639172C8FD74FBC09D8F9828978F7D6A3725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037696Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:00.414{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E6DD239194FFA96F8F04E53A3C954A,SHA256=11F420B1E4705DF18F80514643242367DD594BF0D6BECFDD69F36383FAFA8068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037697Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:01.429{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1092165ACEDC49E44AE802D227361A98,SHA256=3AF5CDA3C1B8754FDF894BB7894B1C28DFC1BB85ED224021101AE73F034201FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054940Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:01.232{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D156C25285BFDA33AE8BAB57740BB7,SHA256=165B68C10E9F7EFE5361F59216559687E3ADBBB6FD8262685EFD4635BED77C7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037699Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:00.577{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037698Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:02.445{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB7BA0B03862DEE59C867171994C096,SHA256=8BF5CBFFB87E71B41241E84DF471BBF0CF147A3A85353A0E667D0B7952228FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054942Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:02.248{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A669D996F6A260070CE8E4878ACAF4,SHA256=7115AAE04E4AED94242B0990F1C28071D54DD0EC42FE785DDC6919959B03DB28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000054941Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:00.954{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50199-false10.0.1.12-8000- 23542300x800000000000000037700Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:03.461{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364C713EBF28E8B457A04202927100D9,SHA256=C26375E41763A22B6EDD9C4C282EDEA2979BA460F6FD47BD316DD2AC88F58BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054944Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:03.264{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F938258A100FBFEEFDD84AC60AFCDF8,SHA256=9CBD0118972E728BD902647380DAB9A4A8ABC7DCCDDF8DFF01BFC2FD4FCC9099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054943Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:03.076{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3D275A67B1E0A2F7AE0F04409B1FD24D,SHA256=1FAFC3F49CC096AE3A307781B682D423B028CDD0F9953DCDC25BEA889992AF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054945Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:04.279{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F378BC1966AE421B514A833A27740EB6,SHA256=DB5C0174C8130ACCE18B04867FDF51A227C72616E4DD6D48F296263394E1AE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037701Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:04.476{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEF414005CD5A53948F644F8417C74F,SHA256=656562EC33C1C2EE469803CC4DFE9F344EABB13D16A947329DDEBB2643E9F4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037702Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:05.492{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E47B16654723BC8C79C3A27274BE95,SHA256=AE6F10E185866D4B4ED9FBCC17EB8BD1DA13EB194C0F541BB6360904041CF895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054954Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83FD-616D-CE0A-000000000402}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054953Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054952Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054951Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054950Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054949Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-83FD-616D-CE0A-000000000402}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054948Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.982{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83FD-616D-CE0A-000000000402}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054947Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.983{8D4DD44E-83FD-616D-CE0A-000000000402}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054946Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:05.295{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821A7598B038065B2AC79D09B9D5DED1,SHA256=E90C3FB2E45F0852B26A59D57F517567D66D56C7351E2264B2D5FD7454FC0635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037703Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:06.507{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B59D2A7C7250915AD3031C82620198,SHA256=DA1445DFCC6272161C72F0A03A9B0EDC3E88A1CD94BF8E45772F2721693CF960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054972Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83FE-616D-D00A-000000000402}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054971Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054970Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054969Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054968Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054967Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-83FE-616D-D00A-000000000402}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054966Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.982{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83FE-616D-D00A-000000000402}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054965Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.983{8D4DD44E-83FE-616D-D00A-000000000402}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000054964Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83FE-616D-CF0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054963Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054962Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054961Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054960Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054959Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-83FE-616D-CF0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054958Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.482{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83FE-616D-CF0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054957Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.483{8D4DD44E-83FE-616D-CF0A-000000000402}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054956Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.326{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B443E6EB30919821CCADEEDF3B5F2E3E,SHA256=4195959C3D637CF80AD99DE7576855A3F301FB6F8813A06770D6A09C2DD25A45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054955Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.201{8D4DD44E-83FD-616D-CE0A-000000000402}10365500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037704Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:07.523{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC16E2371DD09F50A0F3ACE0F4781B8,SHA256=9FA6496BAE74D39F74CD3ED9272EAF309AA0B3304197DC70EBE33903B8A0F184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054984Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.842{8D4DD44E-83FF-616D-D10A-000000000402}62045292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054983Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-83FF-616D-D10A-000000000402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054982Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054981Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054980Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054979Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054978Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-83FF-616D-D10A-000000000402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054977Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.701{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-83FF-616D-D10A-000000000402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054976Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.702{8D4DD44E-83FF-616D-D10A-000000000402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054975Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.342{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291CC5E59E3A99C5780FA2107CC275AA,SHA256=75C77743BF53F30E55AB7B8670C699C0B9CD42FC98FA686845B12BC5E4F783BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054974Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.029{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7ACC3FA3763B5958FCF8D85054A9296,SHA256=F60425765B561BC08407C08A400B504FC2CDE92E0A668EDAC439B481A017DFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054973Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:07.029{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADCAE9B5E312A1CA3E0E7ABECBEC7FAE,SHA256=1CFF8C6214D396D8106F87C3A7F9023DB56AF2107343EC902B290A4CAB3BCC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037705Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:08.586{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42D89E7DF970CFEE6F54C666D861661,SHA256=128D7FFE8B7EB0B43D49380769A87C28EA466A71E9D7302674369F87668352D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055005Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8400-616D-D30A-000000000402}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055004Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055003Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055002Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055001Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055000Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-8400-616D-D30A-000000000402}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054999Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8400-616D-D30A-000000000402}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054998Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.884{8D4DD44E-8400-616D-D30A-000000000402}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054997Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.857{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7ACC3FA3763B5958FCF8D85054A9296,SHA256=F60425765B561BC08407C08A400B504FC2CDE92E0A668EDAC439B481A017DFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000054996Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.764{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000054995Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.560{8D4DD44E-8400-616D-D20A-000000000402}71487128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000054994Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:06.893{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50200-false10.0.1.12-8000- 10341000x800000000000000054993Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8400-616D-D20A-000000000402}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054992Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054991Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054990Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054989Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054988Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-8400-616D-D20A-000000000402}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000054987Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.373{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8400-616D-D20A-000000000402}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000054986Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.374{8D4DD44E-8400-616D-D20A-000000000402}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000054985Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.357{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8387997578DD346D426F676E71C3AE2C,SHA256=A044F0DC00FB4EB6E26A61A25DDD02F2FF5996C87E2F36D7843DDBE3E4CA57C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037708Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:09.596{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B4D71DFE0DD126CE35BEF6E427179C,SHA256=C3735DD153025C032C0836A33399985F23A7C1E608F2C1175E912B403AB36EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055008Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:09.884{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF83667AD2AC8AE9CF193394C8FA348,SHA256=90D61465135ADA886068B5DB8B368560B3B53213FCB94EEE1C80C225692A612D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055007Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:09.384{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94300554E664E11F53D9517F27A5B46A,SHA256=BB6C7453CAB11A19586E0FF191491D2934147DC9EE4EE1C04F1670537DEA2434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037707Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:09.534{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037706Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:06.593{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51700-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000055006Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:09.056{8D4DD44E-8400-616D-D30A-000000000402}71406560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037709Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:10.643{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F48FA47CFC680B88D29927EC2F841F,SHA256=9EAC3F7DD4381D80B64CB9F09A6E5EFBA61A7468D768FAD36E2BF54F9C81B46E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055010Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:08.595{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50201-false10.0.1.12-8089- 23542300x800000000000000055009Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:10.431{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BECC5A01071EA4FE13562D88400229,SHA256=8E98FC3F845D4E8195DBADF5ABC0B29D8E17E16F2A224F0FE85CADE66F825840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037711Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:11.674{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAE8B41D9C3A4552FF8075FD0781628,SHA256=5E03CED1F5C22E1A18D00BA945EB230F29FD2B7F48186A8231E0DAC31821FF8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055019Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-8403-616D-D40A-000000000402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055018Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055017Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055016Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055015Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055014Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-8403-616D-D40A-000000000402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055013Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.619{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-8403-616D-D40A-000000000402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000055012Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.620{8D4DD44E-8403-616D-D40A-000000000402}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055011Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:11.447{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D7AFEBBA2D0BAFC5676D97808C98A9,SHA256=DF41AD99971AADE0174C0D4A6AE84B3B3733DB4EA87AA94E8EA4A21E97812141,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037710Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:08.994{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000037712Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:12.690{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5086ADE6045295CD0BCA9B0517331F4,SHA256=C4B7B6E96422C3CD752B8A35A8176835EF38958209B9CF39CF1B5B14AC567F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055021Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:12.681{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA0EAC453000278F7229BD46D6C18EE,SHA256=4BAFD7490E81C4238BF5D29849171EF0175FAC4E275733732D25BFE9B9BF6EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055020Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:12.463{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FADB22B98A0054C37E7CC9D013F91C7,SHA256=23485DA0E4AAFDA2250B030DCA7F34A7700990AD7BEC9232165B02F16F6F04A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037713Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:13.706{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760EAA006EDD8E07D18D30B8407765C3,SHA256=5EA6D2487229E40F3ACFD17CCF5AB481E88BE1690301B2E9E4D52FE8769EE38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055022Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:13.494{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9D0DB101E0CDBD9137FFDC6DEA240C,SHA256=881FD2DA21196466E464352561B9346E5E70ED423A8706379275FBCB0008A5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037715Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:14.721{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF62743F46344FE514B0DC05FDD18AC,SHA256=2F3045D5881B31EE303CAFFD32A99FCA86B9889FCD35315791C13E0C4E555E7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055024Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:12.903{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50202-false10.0.1.12-8000- 23542300x800000000000000055023Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:14.509{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C3F66B847F0FD4EDD2575C6366F017,SHA256=C5D17EC9923F4B4B5A32213003AD02A2F19B8501F79A93597592767C9588BE16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037714Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:11.728{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51702-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037716Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:15.737{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F0716AD61819512910FEE45E86B87,SHA256=F8B9A9595F5275050FDB9DF1BC8EC2732991A570578AA28C21154639F5B6D598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055025Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:15.525{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4470AE2E41D245E3DE9FB6BE1F1DA,SHA256=8D53B900E44A0882FBEF35ABB3645EE445291A2C2D5E1C965DF8ECC16FEB4949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037717Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:16.752{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F991AD8100A189124C2BE407A01D64AD,SHA256=8AEC6A9E8E92A811E344742FC289B08B50BDD956DC004B9511CE4C96F2388EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055026Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:16.541{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50CA47E9AEF99C94DD5B3B5DF0D130D,SHA256=DF429F93947AD1025285EE5551EE7CE11F96F882E6BD3CF8F0AEB45891B5A327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055027Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:17.572{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF02A61F94AFB608E57C9E9B68C01C5,SHA256=9B603C436C0DBD4A42AAE6CA2C2D85D4899C6BCE2F73372C74BE366A791F32EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037718Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:17.784{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47BDD05E53AEB83297D572A38F9489E,SHA256=B3DF6BF340FB856A0A75110260457BA10AC07256DA1A79B1D2ABE8B2E2047B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037719Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:18.830{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0A9A994FE0D2E81783763C3D83AD41,SHA256=4513A1D1E36B526AE1A797CEBBE0E44D3EA65C4200FECDAC860987048BE83D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055028Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:18.603{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973AA4CC4804DE1FA1B2778A7AA2C82F,SHA256=1C3CA5DD0EBB691D3F95A09D4164AABF9D1043356FA188ADC968F8C9B9F1922E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037720Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:19.877{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6B612029AB0F5A92FEBACCF75BF1F6,SHA256=9673109B99A4F92283CB43CC8B7CE86BE9BC7C256911B4FB5357C7F8E915EA95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055030Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:18.059{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50203-false10.0.1.12-8000- 23542300x800000000000000055029Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:19.619{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90528431E2607BB0E98D3A5253AC07B,SHA256=D5488E1A3393D2880C85A75F28BEB8499822750C37D2E42605195B1DBB0E5A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037722Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:20.909{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3A525014075997DDA0A4EDC8E04BD1,SHA256=D77C743ED4AD67C4DAA8090D88EA213DEEAD5A6B458E928328D0BB7BF10B706C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055031Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:20.634{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CE2156876D22BCAE6AA50FD91170F7,SHA256=E2604EBC9752C8F3BCBC45EB72E9937952D4972DB9C42B703664AAC8473C9EB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037721Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:17.713{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51703-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037723Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:21.924{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8764FB40C4EAF4CED50A4CD5C9359D,SHA256=FFF1B6F04C55F48566F0383D4B47E8F84C3BF7904ACA407A0C21ED8672C3F719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055032Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:21.666{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14B5FCDD03FCC9B440D5FBC46F2B08E,SHA256=C48E736C4CDDE0995ECDCBEC10FCF8BED5A9C635723A1941371052FC2BBCC0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037724Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:22.971{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94E4AF343AFAB431FE558D3883FA88,SHA256=2A364C3B7CFE308BBD655031DCB063A317BCB17655AC73BC5905DEC02D05FFE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055033Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:22.681{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CD9D99663CA6B2E55550630EF2CBC8,SHA256=F80F85C1BE432144B93F6B3DE5A432017182BBB4D6553182224B727E1FD10CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037725Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:23.987{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B51CE5CDC3077636B41EA285815521A,SHA256=E8BEBAF363EBF85C4A2F370522436CFC102078A039DA68309CBECE36EFFE6C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055034Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:23.681{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112B1A42218137E0B34F9E85C20A0F99,SHA256=A8A5554DC62D8A3358E468992F3228A273472F5BCC77D0640C8F743A3EEDE927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055035Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:24.697{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8968F94E92DD5101EDF64215168345,SHA256=813CE6E8C88C35D54DB46A9025FAE700517280350EE43D640ADD5481E36FEA30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055037Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:25.744{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A9D98ADA3CCBD8365F14E20C6E6146,SHA256=BC6B56EBB09C1236E94E33C9A1C80308B1BE469DE8071FB218A0D419089A2A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037726Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:25.002{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9EB6CF801C0EC74F4CADBBA2481B71,SHA256=F045E93EBA38AB617F3F4AB0D1A7600C982C0513E79C4E0CD91570826CA0B6FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055036Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:23.934{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50204-false10.0.1.12-8000- 23542300x800000000000000055038Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:26.759{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCDFF4119938689A3AD4047F0E99C0E,SHA256=262B69AAB5C9EE2F87618DBB400BE6B8A828A94F53948DBF481654AD75E26D2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037728Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:23.525{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037727Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:26.049{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70905DDB9B140025EC77989CF64FAF,SHA256=AEACB0F6CDEBE61F254B8DE3109805A159017365C9096A0DF644E7EE0777FD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055039Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:27.822{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF0556ECAE7ACB346EC0EBC840EE25A,SHA256=FA5D1E4A9CD66C776CB5D4F440D92150B2025B303B8A33ACC4F499CAA33DBBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037729Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:27.080{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFD30CBBE882E3A54E22DC832101F19,SHA256=FB6D87F3EDB611CC6E14EFB671DECC49FFEFA554B455C19B01E6691C886B0344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055040Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:28.853{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39288DCEDC4E7D60B1678D33CC1128,SHA256=652DFAC7C9C416D519B08F311FF277F326685752CC7FED42898B431B9BE0C5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037730Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:28.112{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365E512D2440BF58A879F666E0ED85C8,SHA256=68CA84B3AF80F7016D22B2E53E1E95AE72025085FC7898ACE0850FE4C02A9BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055041Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:29.854{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3045D75DD866D72DA23EE72643816D5,SHA256=967D88E16030C2AD2462342C222ED65F99BFB0C513CFCF82E49C1425667D343B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037731Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:29.190{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674F6624A858E818ED3F78ABC763CA5B,SHA256=EC6C6EC01CD16481923BEE9EF03A8362D6311604663531805C3B2B263ABDDF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055042Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:30.869{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F80CDD6F9F148CBF4554586637F5DA6,SHA256=D2D6A04BB4604B772D01235A2936A304523445444896255FC50572D949D5A5C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037746Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8416-616D-1E08-000000000502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037745Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037744Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037743Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037742Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037741Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037740Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037739Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037738Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037737Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037736Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8416-616D-1E08-000000000502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037735Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8416-616D-1E08-000000000502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037734Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.800{6F8252D3-8416-616D-1E08-000000000502}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037733Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:28.541{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51705-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037732Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:30.206{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C63CAF7F10CDE34BFF467EA6D8BFDD,SHA256=910BE5C41E25B736F29B7F6EBAB93CA23D2A27BC765CF9FBCE17BAAA5A6E8B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055044Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:29.965{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50205-false10.0.1.12-8000- 23542300x800000000000000055043Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:31.885{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40877C3500F59FF860E3EE9C1B20E46C,SHA256=9F39CFD5FDB1F7FCBC2489B34B25AFA4FD4CCC4580A86F964F011155679B90DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037775Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8417-616D-2008-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037774Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037773Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037772Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037771Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037770Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037769Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037768Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037767Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037766Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037765Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-8417-616D-2008-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037764Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.862{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8417-616D-2008-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037763Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.863{6F8252D3-8417-616D-2008-000000000502}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037762Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.831{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6511C5E3F9793E1115EEB8814E8130,SHA256=9A317B11F61D6C2A2821F965EFF13357DA745D39F88DEE3C6849AED81C947D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037761Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.831{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775740E5940654D07C6EE56130BC2CC3,SHA256=0927E1D1595A69FBAC359F6205044F55BEB4AD7DC8FD819E9CD10688B686FF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037760Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8417-616D-1F08-000000000502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037759Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037758Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037757Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037756Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037755Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037754Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037753Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037752Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037751Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037750Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-8417-616D-1F08-000000000502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037749Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8417-616D-1F08-000000000502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037748Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.300{6F8252D3-8417-616D-1F08-000000000502}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037747Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:31.253{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFB7BD00CA2B461DD3A67B899F95C90,SHA256=431A6586DF7A82ED2D0BCF401C0CC35C1D0B35EF222370708A6CB32CDC6A1224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055045Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:32.900{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805C42D753A23013CAF5E472DB7A66E2,SHA256=49C0360C2047B23037F7A445E76DB4134839840D9BD146DE9E9BEAF524802560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037778Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:32.878{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6511C5E3F9793E1115EEB8814E8130,SHA256=9A317B11F61D6C2A2821F965EFF13357DA745D39F88DEE3C6849AED81C947D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037777Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:32.471{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0264930FA48A74ED479A3A4788C8EDC6,SHA256=B0C552C9DC0B75E605056A9708BD641E32BF802A49B2320372AF08A071E07F45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037776Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:32.018{6F8252D3-8417-616D-2008-000000000502}15403808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000055048Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:33.916{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D2459D52EA85BF16EC23E4EE9E387E,SHA256=37756EE433C239C74D6F25EC283B62AC6B27FE143E8A48C44BA5E20096985EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037793Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.487{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E10C7E11FEB39DA27FBE5A5A420652E,SHA256=D5CB53088F385323049AE41127A585B82F0CD515A1EC258C31774DE919A173A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055047Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:33.822{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81080838272D14CA0B6BD84BC3592667,SHA256=3DD09977448A3EA12F7B0BA9D97B403E3C794582A28184A64EE033DD84C345C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055046Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:33.822{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5015137C6B1F91E3478408D730D1BE0D,SHA256=54D3C3C24D2DA9189D45B9241C94B06FCA669F8110E8538C88FEC07BCF6F311D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037792Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.315{6F8252D3-8419-616D-2108-000000000502}13083424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037791Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-8419-616D-2108-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037790Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037789Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037788Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037787Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037786Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037785Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037784Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037783Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037782Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037781Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-8419-616D-2108-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037780Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.096{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-8419-616D-2108-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037779Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:33.097{6F8252D3-8419-616D-2108-000000000502}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055051Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:34.917{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CAE77533C5190BD6B9CAF64A5B658B,SHA256=F5C24B5E1DD2E1C0955ADBBF1EEE28D8F9578736F4C2EF34605B6ABDE26F0DF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037822Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.956{6F8252D3-841A-616D-2308-000000000502}26523500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037821Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-841A-616D-2308-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037820Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037819Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037818Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037817Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037816Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037815Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037814Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037813Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037812Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037811Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-841A-616D-2308-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037810Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.721{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-841A-616D-2308-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037809Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.722{6F8252D3-841A-616D-2308-000000000502}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037808Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB99A8AE3A9E5E93C855AEEB7EC64FD1,SHA256=9F6FAEF1EBB7743738D07857F51B7C0545BE951F598DE637E7CC923716526912,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055050Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:32.450{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50206-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000055049Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:32.450{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50206-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 10341000x800000000000000037807Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-841A-616D-2208-000000000502}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037806Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037805Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037804Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037803Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037802Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037801Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037800Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037799Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037798Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037797Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-841A-616D-2208-000000000502}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037796Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.206{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-841A-616D-2208-000000000502}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037795Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.207{6F8252D3-841A-616D-2208-000000000502}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037794Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:34.143{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E45C5EA729758AB60CBC6E246489F4C,SHA256=9011D127BA72819FB39E08EE09AF719E93B3EBFAF63D242D6E8060DF910B244F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055053Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:35.984{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-167MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055052Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:26:35.934{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34826F848130A5917A6048901A6E0942,SHA256=AD0D63CBDB3A4E1AC6C6BB9146135886163AEC8773224D9CA948B13414D8405E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037838Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.706{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7A926DF84F996F07671D9C678FDCC,SHA256=9F57D9EC38C3305AAC0928557A91E6760B00973D7948C50D57CE146737581B00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037837Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.393{6F8252D3-841B-616D-2408-000000000502}28642004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037836Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-841B-616D-2408-000000000502}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037835Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037834Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037833Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037832Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037831Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037830Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037829Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037828Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037827Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037826Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5DB9-616D-0500-000000000502}412428C:\Windows\system32\csrss.exe{6F8252D3-841B-616D-2408-000000000502}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037825Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.237{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-841B-616D-2408-000000000502}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037824Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.238{6F8252D3-841B-616D-2408-000000000502}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037823Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:35.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=082D0A874319BA98B47CD2CC8BA4BA91,SHA256=654651542AF7440D5FF02ACF6A34EFBA8F0F2F3AC749846AE8C8B2307ECA1111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037839Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:26:36.331{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9614B4FEDA3358194931658131AF6990,SHA256=A8144AD944C591B28FB889E4E65D20FD2E907A6FC86AB1AA030BA66A32CDEA90,IMPHASH=00000000000000000000000000000000falsetrue