23542300x800000000000000052458Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:37.752{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCE07F4A882E523F768918EEB97DF54,SHA256=062A26603D807084DEFAC1B17FE53D233F709EE46872E67A28DA34E4899DC2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036070Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:37.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA344957F46C503EF245AF9C9A83565,SHA256=7D097C861CEAE81405509F00D161749CE7D6F8EAD996DF20DC0BD97A22FE7CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036069Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:37.008{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BEC67FCDC87C0D25EF757841BE19A2,SHA256=D081BFCC29A595BAC97DF052D2A65618DF848C5876715122B1F59260772EC00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052460Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:38.908{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4783CA32C21F0BF56202D86EE80484,SHA256=906FDC43150FD605299F0CD548C58BC5A95D919826C04BBDFA68CE4C7DE66E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036071Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:38.055{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCF3081D8B2172B51BF99987B054F44,SHA256=E8AD310BF549A6506301420C5A600364224B846A99BDBDB34A4B36A2026DAC2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052459Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:36.114{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50061-false10.0.1.12-8000- 23542300x800000000000000052461Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:39.940{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752864FA4DD5E9A88F405CFB5752A224,SHA256=F4F0E7447634826A6C87B06540BDD9AAE7264899A7F0B3D44ED8143A19A9FB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036072Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:39.149{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B594125A2EBD96E323F61883C107D3,SHA256=A9F8A48BEB0112CC8121B8554C2A01728B4C711C8D8B32BE84EE910BA8628344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052504Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.971{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8497FC22BAF53613F8D772E0E91551,SHA256=4FBEA9FED0B84848F2744EAFEDD37F81061D7CCC90A1E893DEE69F5BB4306B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036073Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:40.165{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44613196067F12D25AA82821469062DD,SHA256=C5E71CC90CCA547984C813276BA752F99004C0F47761442525D93B5C490A545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052503Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.393{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45735BB8722BDBF4DEE286B0B4D30EB8,SHA256=0F711E0F3164AD58FC34FF5D37F1541B56E7A9FCC55BB8C8905CDFA9206D95FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052502Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000052501Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000052500Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A3-616D-3609-000000000402}48007072C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052499Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.330{8D4DD44E-79A3-616D-3609-000000000402}48007072C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052498Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.314{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000052497Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.314{8D4DD44E-79A2-616D-2B09-000000000402}43844228C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000052496Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d 10341000x800000000000000052495Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A2-616D-2B09-000000000402}43845808C:\Windows\System32\RuntimeBroker.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e5a|C:\Windows\System32\combase.dll+6dc1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b253|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52489|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee 10341000x800000000000000052494Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48006004C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052493Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48006004C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052492Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052491Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052490Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.252{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052489Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.252{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052488Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.221{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052487Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052486Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052485Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052484Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052483Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052482Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA9-616D-0D00-000000000402}904772C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052481Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052480Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052479Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052478Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052477Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052476Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052475Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052474Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052473Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-79A3-616D-3609-000000000402}48006056C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052472Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.189{8D4DD44E-79A3-616D-3609-000000000402}48006056C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052471Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.174{8D4DD44E-5BA9-616D-1600-000000000402}12924292C:\Windows\system32\svchost.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052470Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.174{8D4DD44E-5BA9-616D-1600-000000000402}12921336C:\Windows\system32\svchost.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052469Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.158{8D4DD44E-799F-616D-2309-000000000402}37683740C:\Windows\system32\csrss.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052468Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.158{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052467Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.158{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052466Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052465Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052464Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052463Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.143{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052462Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:40.156{8D4DD44E-81C8-616D-690A-000000000402}4128C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8D4DD44E-79A1-616D-927B-510000000000}0x517b922HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8D4DD44E-5BA8-616D-0C00-000000000402}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000052522Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.986{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AFC6355258D44191A5DE8B09B0D3C7,SHA256=363BBCA5CD36C69A7F61A9B7AA53813292D0AB745F991345AFBDA976E057B588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036074Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:41.180{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1704C6C3FF7696E2450A9DEA72E21A14,SHA256=D992AF9CF9E7924D62ABFCBD15350FD60B013CB44D6403E913DF568FAF4A49AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052521Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052520Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.283{8D4DD44E-79A3-616D-3609-000000000402}48003888C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+61899|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+3b24c|C:\Windows\System32\combase.dll+3af02|C:\Windows\System32\combase.dll+39818|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000052519Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48004492C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052518Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002324C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052517Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48004492C:\Windows\Explorer.EXE{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052516Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-5BA8-616D-0C00-000000000402}848352C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052515Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002324C:\Windows\Explorer.EXE{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052514Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052513Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052512Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052511Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.268{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052510Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052509Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052508Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052507Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.252{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052506Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.158{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384EEDA5DD16019C579831D3221936C5,SHA256=44B8EC179D54B46BE8951EE7F62890A16BE20248D425D875770E0E50C9905DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052505Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.158{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F757669DEEC9243D917F987EA92CB73,SHA256=FDBF364D547B2B276B10426AA06785A5806F14AC3A2E2D6971B4DA96C0C69441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052523Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:42.096{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-10-18_141636MD5=82D4EB6900240FF95273ADAD50704314,SHA256=CA27C307D44DC4F6A4565B54649935E70AC566EF2EA988BC6F142B2660C14480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036076Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:42.350{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-149MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036075Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:42.183{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292C6BA1A239E3BD5913455A9E18EAB7,SHA256=EFAF5C5445C2E8E17AA94302FEB9101115B1F5C31344F2178E2D3EE0816EC9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036079Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:43.331{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-150MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036078Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:43.189{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA3F81CE29A825BAED49581403A95B8,SHA256=F86733618CE7DB582FE06A906CFE102DDED34AFA89BDE36AC1C28A865099BAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052524Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:43.018{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB769DB8021EDDD50BE26353CDD5C791,SHA256=E9570906F8E2D4F0A8D2D5C701A8BDEE62EE3BAC8BE5CAEBD56312A3357435C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036077Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:40.717{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51590-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036080Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:44.190{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1290E2ADB96946578F7B5F966F00E050,SHA256=FA694D3C2B2B84D186B7F9D97E8430DB0F6D90D1489825C9DFE4B9A6372D95C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052526Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:41.958{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50062-false10.0.1.12-8000- 23542300x800000000000000052525Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:44.049{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AF49C75C25E844F3AAC0B4D245E6A5,SHA256=87CA2561FFA1D6064A894CF4C4D9DE59F81303C493580A4BCBAB14DE06E33000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036081Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:45.205{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513C5102B8ACC832796F700ADCEF6FF7,SHA256=94A686EAABCE786EDF13E1CDE58CC3665B73D21AE7FA4343980E9A1C28589B13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052531Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052530Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052529Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052528Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.861{8D4DD44E-5BA8-616D-0C00-000000000402}8486748C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000052527Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:45.096{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40663B0425D011E037E604E2BA6C9413,SHA256=A23874A27D82C270B184F09E91672E05ACE2520E8424278E40B7E4CC97F66573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052541Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052540Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052539Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052538Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052537Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052536Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.611{8D4DD44E-79A2-616D-2C09-000000000402}19325356C:\Windows\system32\sihost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052535Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.564{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052534Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.564{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000052533Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.564{8D4DD44E-5BA8-616D-0C00-000000000402}8485840C:\Windows\system32\svchost.exe{8D4DD44E-79AE-616D-4509-000000000402}3780C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000052532Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:46.127{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5713E9F6E5BEA5C422FAC142E456D823,SHA256=11CA1040F054FEF673A5CCF83D3EBEDAEE51E19356E44E3AFE4B2B0DBCFF3AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036082Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:46.221{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD6E1CA4C9A1876E61F9C90CB61FE0B,SHA256=781709626E7DBBFB46D1C9757F8BD34C8A6A490F2A8EF7BD5AED8B3CBDB00C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052542Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:47.142{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F467D6EC75A621DDB88870832D7D17,SHA256=197ADA5EF40B4DDFBB3B7D2F8F6572683A076605D2C7381E3B22C65A4C4669E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036083Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:47.237{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB96C6BF1599AE1CBB71DF6D802FF7B1,SHA256=7C203602117AF5887A136D5D86FD6FF192DFED722514175B0EC2A1932806EED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036084Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:48.252{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701420E634F1259F20D5B73E6C9F9105,SHA256=3A63CA6961F8E3237146413FE5C325822C20769DD7294AEED21CF7AF1ACC1076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052543Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:48.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4E40B301F063F941FC1BF72C86CF9C,SHA256=3D39593752534A89712DE22FA3BE88D89DF44989C55517C60A75268DEA5EED73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036086Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:49.259{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56077B37B2C757F0DCC502B777D7AA0C,SHA256=587C4466DD1491FCEC31E9332E6E8C20600B2EBD2370AFDD3A243E480EF362A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052545Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:48.020{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50063-false10.0.1.12-8000- 23542300x800000000000000052544Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:49.174{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBDA09E05B49150A6D252FBAB7F0DD0,SHA256=0593DECD5BAFDE5C4C4366ED6B5EA0746E8C7D6D69E9ABFF6DB4E6BA42866712,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036085Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:46.492{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51591-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000052546Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:50.221{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFA1B64EE56DC21941FB35595FE2F62,SHA256=A465EFD539848420560FC8984F22106E0F35B8A503DB76F1DF08361EE8777E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036087Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:50.275{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543E17A7EFCC95806655F527A27F70C,SHA256=4AB3DEFBAB2ED8ADCEABDE8D98D7C4EB5E2225BC6B45CE8FF47A5545855610AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052547Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:51.236{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210AAC6ABD45662F032DE10D6AF5B000,SHA256=F84BD322198E8F1C8CF14DC281313C084222FB79AE343C50622D52ECA59FDBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036088Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:51.291{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493C403D59477144F9222F4BBE684ACE,SHA256=650A41D093D2295ACEECD1693A892CB517EAE874E9806361B48E4CA0E7F63BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036090Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:52.306{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BBDC372E0356E03CDFEF7505F87951,SHA256=BB3F5897D56834E436CC79696A1466804DAD7884B47DFE2ED8BA6551B9ADBC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052548Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:52.267{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C34767DEDCA24ABC62253DCD6F7C61D,SHA256=E45378F76963DE0D1D21DF710F4CB663A2E6E9235909519C93E55A1E6F3AE377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036089Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:52.197{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B23E1FBDCF46C6804CB2C57A21107B59,SHA256=0CEAF02326183B19F5C85D3F75B9CC0F0DB043880EFF062D356A018389C9F8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036091Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:53.322{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FDC11F463E2F67BB1F1C4253A16B7B,SHA256=7F4EF3DED134BA01048550D2B7857AFFADD1823586D1182C4C4E4B235039845D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052549Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:53.267{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193E0CF8D3A71EE458A7C80ED69A7A7,SHA256=17906EC417400CADF72CB60C70B4564A9DF8F91F76E7E2802D3002E810A4D0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052550Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:54.283{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4970C051E9ACD635B2E38F3EE52E9F80,SHA256=FB401E8A9682906CBDC9FAF390701031D5CA26CD7C4078910F869F267C3D6826,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036093Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:51.749{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036092Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:54.337{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE70883076E57A4BBF00064C1474F15F,SHA256=24B09813C03AAEF7D8D7B6A61519E80C0B7632238E4095D3795D3479C5DE95C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052552Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.970{8D4DD44E-5BA6-616D-0B00-000000000402}6284360C:\Windows\system32\lsass.exe{8D4DD44E-5BA4-616D-0100-000000000402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+2c294|C:\Windows\system32\lsasrv.dll+317e9|C:\Windows\system32\lsasrv.dll+2f147|C:\Windows\system32\lsasrv.dll+2e0d1|C:\Windows\system32\lsasrv.dll+16cad|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000052551Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.314{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F53301723163B45F3576205779EB6ED,SHA256=2ABCFA4D57A10F50B97C84DF8E81C0C30943927BD6552C067FB37F5542EEA265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036094Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:55.353{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29ACB57EF078E01F58E298F43A54B43,SHA256=AB0447DB1E6D96B3164BA2C6965F8196A35F3233FF0A64320F47FB93CEC9D11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036095Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:56.369{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C39AB629599B61C83BA5878712C1C4,SHA256=B6A4FBC7801D7E3BDCE966C8B727367053B8B618C06622B58F12DD13A5078F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052556Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:56.877{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EC16187FD28ACA63A2BCF1DFF4FBA3,SHA256=F063C63BBB44D675CE4FAAA76225E12A88C6E07CF6C24306067B549DC903F202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052555Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:56.877{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384EEDA5DD16019C579831D3221936C5,SHA256=44B8EC179D54B46BE8951EE7F62890A16BE20248D425D875770E0E50C9905DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052554Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:56.330{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEFB6528212BD9C7FBDC32D22DFB235,SHA256=FA5C9F2399AAD999F4CC35E29C6624AE38ACAC7ACDE6CAD75B31E77ED507786B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052553Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:53.975{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50064-false10.0.1.12-8000- 23542300x800000000000000036096Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:57.384{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDBE14836FBCEDDD6A7A073F8ED75AF,SHA256=4A62060342D694D4329EC3A33B70BC15340DF20DCEEB658107A6815BBC4BA4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052562Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:57.345{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF0C2E01214D6B6A607BA010269CC7F,SHA256=1C8AB4C920DC8BFD4266FAF072AD3E48D501EAEC0727F0D18B6FB36EF5DE3C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052561Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.836{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50067-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 354300x800000000000000052560Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.734{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-185.attackrange.local50066-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000052559Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.734{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50066-false10.0.1.14win-dc-185.attackrange.local389ldap 354300x800000000000000052558Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.726{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 354300x800000000000000052557Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.726{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50065-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local389ldap 23542300x800000000000000036097Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:58.400{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC768041ABBB665E5FF62C8CF9140CC,SHA256=75317D4C8818DE550C13DB7AB0F80F7135CFE9BF5199804603DA1B523364B2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052563Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:58.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BCB2EF669EBEB1031B35EB1D7E6787,SHA256=3F56B2783211543696304240CD88ABD2AF287BDA0A9F2A196F6267BB143F23D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052565Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:59.424{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3DA97AE326D1C72D8673749C1C9D8F,SHA256=9DE9BE34A6CA423954594E70EDFFFEA692B91008F7B98288E23236ABB243F581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036099Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:59.415{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9CC148486BBC4076E9539F86A30D4E,SHA256=4250E4B38CD1541CA837B40F817E93056C54C2CB95A481744C816204DF1B3407,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036098Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:16:57.670{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000052564Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:55.836{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50067-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local445microsoft-ds 23542300x800000000000000036100Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:00.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3983F08F724C778D5DF2E502298664BE,SHA256=E7508E0AD4739EC6BD313BCED876DC6555D41A84E2EE2175A15BD562EA2DFB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052566Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:00.455{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3640C31A997F4E746B28278F03766FC8,SHA256=BD24C84DF874FD81193A03CC9C35872059CBBBF41961A9B48155AC1A85BF3D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036101Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:01.431{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFF43F38589280F92A12C0BEA974B1E,SHA256=CE3236EA3868DF5B53E5BBF20419C46FE4976D311D7C4A51589D4EB445C3E62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052568Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:01.470{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3583FF17A2CC12D7558149D9AD1A663,SHA256=B6EB6EAA991985C99C02A5C873ED147CC0CDF62E8EC07E967BC4455148DFAE49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052567Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:16:59.052{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50068-false10.0.1.12-8000- 23542300x800000000000000036102Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:02.462{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE82B75EBCE1E0CE169F2C391734DB9E,SHA256=39874A03F371161E93D9AA2F507F594434090A810E3003203931FFBF9FF854AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052570Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:02.986{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0203B0C4D98AA8490C9BED84F67EAADA,SHA256=3C72852C17C7A7BBF7E7489E2B0FBDDA6C576611FC5E2DC4A32B676A5D56B056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052569Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:02.486{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B9C85B081E73D6781807DBBDFFF3C4,SHA256=39A417B2A152BEEFDF952012B9AA7CB00F08D4BB706BD5DFFB7309D650F889FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052571Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:03.595{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FCC2B11C46FBA00CCA69427B5798CE,SHA256=DD6A36531D64A60611EDF81DCD5ACF62905C153AD7D2DAC4494BB4AD992FCB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036103Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:03.494{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2650A4D17D817C6E0E5AF636AD1D082C,SHA256=8C74903FA0A2ADBB000767BE77707E571897A7671F51E00B1E57BF62AC17EA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052579Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.627{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223EA9A6B36E5600DB984A2BB176C9CE,SHA256=03F344026E3C2FF44DB2F2AAA2B918840CE1FE89770610604228775025243CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036104Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:04.556{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CC3EC5E7F8793DA45A8C3F2D290024,SHA256=AEAAF1026E393F42CF179D2224D8BDAB3B004F43E73AE07EF2EFB808C0AE0F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052578Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052577Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052576Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052575Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052574Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052573Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052572Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:04.111{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036106Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:03.529{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036105Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:05.572{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952ED3F895B0FBBBB47A8CDC3FFC4BD9,SHA256=D4A4484570E52B9DF85E95DD408043C9C63AD18118459F11BF6615BC03064A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052587Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.642{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5D9BE39B61D1B7F119E9462E8F4B91,SHA256=B0665E42A0525BF4F34F4F44B62EBB8D4D919D549277628746D02E45D1F26B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052586Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052585Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052584Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48006788C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052583Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052582Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052581Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052580Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.377{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036107Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:06.619{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B397FDFEFE0F9D00B5BB5C1504000F,SHA256=33FD94B438A7D083C89BB9023FFA4C3C32E8264C307ED5A0762CDC3B96269FAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052606Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052605Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052604Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052603Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052602Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052601Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052600Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.705{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052599Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.706{8D4DD44E-81E2-616D-6B0A-000000000402}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052598Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.642{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D708C7CDF6B565195122BFCFDA7926C9,SHA256=E902A8DE40BE98874D2AEAAB1EE2AD0BC4D9E41E524E4F0B7C96521456310991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052597Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:05.004{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50069-false10.0.1.12-8000- 10341000x800000000000000052596Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.220{8D4DD44E-81E2-616D-6A0A-000000000402}47246972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052595Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052594Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052593Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052592Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052591Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052590Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5BA6-616D-0500-000000000402}412528C:\Windows\system32\csrss.exe{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052589Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.033{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052588Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:06.034{8D4DD44E-81E2-616D-6A0A-000000000402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036108Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:07.681{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F7A084CEC0A758FC94D2CDA4308BC0,SHA256=616049BB7A165989E25AD828B79C7516076A2E253F1527F5BAED15EC565171C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052625Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052624Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052623Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052622Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052621Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052620Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052619Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.877{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052618Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.878{8D4DD44E-81E3-616D-6D0A-000000000402}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052617Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.658{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A027B5E06E5C58AB12A299C26950C8,SHA256=46B4CD804A1CA0670A9E91BE5B5ADAAA3D0DF369FD67BDD1677109A48485BABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052616Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052615Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052614Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052613Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052612Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052611Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052610Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052609Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.377{8D4DD44E-81E3-616D-6C0A-000000000402}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052608Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.064{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=047D6F356BFFAF43D09E1E1B0EBE13FD,SHA256=48F8F439D83C37FFCD92672C433788C1F1385ECFB5D42A19FC150BBF87C3146E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052607Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:07.064{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EC16187FD28ACA63A2BCF1DFF4FBA3,SHA256=F063C63BBB44D675CE4FAAA76225E12A88C6E07CF6C24306067B549DC903F202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052638Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.929{8D4DD44E-81E4-616D-6E0A-000000000402}3446696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052637Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052636Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052635Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052634Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052633Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052632Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052631Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.726{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052630Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.727{8D4DD44E-81E4-616D-6E0A-000000000402}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052629Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.663{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD7A57AFEBCF99D6ED5DA5E52F8B18A,SHA256=44DE0D3F721051FD26FEDC571E1A9A8336FA6C71277B965CA61195A71835357C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036109Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:08.717{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BECA7A332F336749E7709055B6BADF1,SHA256=86C74D7EF658F6E8EB92137E017CBCCCAD0900C4E3FB6DA4975E752EDA23C00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052628Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.554{8D4DD44E-5C1E-616D-A400-000000000402}2432NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052627Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.408{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=047D6F356BFFAF43D09E1E1B0EBE13FD,SHA256=48F8F439D83C37FFCD92672C433788C1F1385ECFB5D42A19FC150BBF87C3146E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052626Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.064{8D4DD44E-81E3-616D-6D0A-000000000402}69847016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052649Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.960{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=707E0DD472C1F967EC860876E2683532,SHA256=4D83679D74029CECA21659C57038D299C830700044D3E97078E13E6092C66F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052648Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.679{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F7B47AB7020146C14C60FFA1222C4,SHA256=4E4E95CE317E7C299264A5E891CAC8A1227CDC471C4BE714AB64D70AEE563422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036111Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:09.733{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBF316D46160E4874BC8CDC492D61B7,SHA256=BF319B60BE2BC8CEEDC55B9E56448E794D922313E24FA5BDDED535DBD168F30C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052647Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.569{8D4DD44E-81E5-616D-6F0A-000000000402}43486956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052646Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052645Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052644Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052643Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052642Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052641Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5BA6-616D-0500-000000000402}412428C:\Windows\system32\csrss.exe{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052640Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.397{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052639Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:09.398{8D4DD44E-81E5-616D-6F0A-000000000402}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036110Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:09.327{6F8252D3-5E51-616D-A600-000000000502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=710EA7B05D6BA2B04E69371F5A9F9563,SHA256=075ECC83A1E933E764EAFADBAEB274EC261ADF2B116F7C6E9B011B23E81CE501,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036113Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:08.800{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036112Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:10.748{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7232E76B2DC248C05E9A830F10CF5C8,SHA256=58D0C378F17C0F0A9BA500F1ABF3CF70A6E3BBC5199411678E2CF6C0D6FEA900,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052651Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:08.400{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50070-false10.0.1.12-8089- 23542300x800000000000000052650Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:10.694{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7716FEEE860A5EB8BC9DBDC638DDD0,SHA256=D21D2EBC11624304B52B78D38B1F8D4C3634F9B448E5AD657C7D5A6104A43189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036114Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:11.764{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF709A9A586641BF2FFA7EF4956DAC8,SHA256=222BBB1EE51AF5E37D99A21BAA1A7182008B97FBD9E992300F4627DC993F167B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052660Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5C1E-616D-A800-000000000402}8723676C:\Windows\system32\conhost.exe{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052659Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052658Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052657Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052656Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA8-616D-0C00-000000000402}8485300C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2B00-000000000402}3008C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052655Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5BA6-616D-0500-000000000402}412692C:\Windows\system32\csrss.exe{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052654Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.772{8D4DD44E-5C1E-616D-A400-000000000402}24323524C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052653Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.773{8D4DD44E-81E7-616D-700A-000000000402}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D4DD44E-5BA7-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8D4DD44E-5C1E-616D-A400-000000000402}2432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052652Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:11.694{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD45DE93F74761E8D089BF823EFF3BE3,SHA256=30E05B6E65D8FB5026A0B763012236B7A777BCBA589810004AF12A03EAD1ABD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052673Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:10.963{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50071-false10.0.1.12-8000- 23542300x800000000000000052672Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:12.788{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C69CDC4CCB07EB18EAE1EFED6A5C523,SHA256=44EE1DFB036BC8B8C6F9AB3CF0A0C8F17B2080AE4B9E40164E376E8BA87D67D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052671Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:12.710{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361F0B4335D868A55810954584656F42,SHA256=F453ADAF9ACF020F2A64DBFB9B99A811EF8FFB7A39C01EF5280F772624C98845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036115Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:12.780{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69651D32436A74B64F36C6E3E1E332C,SHA256=E5C3C40809950B9A496B2F80EA4A5FC05EA0957D75BC1D0950D9738DFE6D96FE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052670Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000052669Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00957c11) 13241300x800000000000000052668Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c422-0x75c0e736) 13241300x800000000000000052667Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42a-0xd7854f36) 13241300x800000000000000052666Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0x3949b736) 13241300x800000000000000052665Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000052664Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00957c11) 13241300x800000000000000052663Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7c422-0x75c0e736) 13241300x800000000000000052662Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7c42a-0xd7854f36) 13241300x800000000000000052661Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-SetValue2021-10-18 14:17:12.054{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7c433-0x3949b736) 23542300x800000000000000052674Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:13.726{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71542328D6CAF1309D69CD0098775327,SHA256=454F6514D005FFB20B4A1E5AEAF0820F2ACA72B692C89804C6A6D2F81E0D686E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036117Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:13.795{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9130E37509809DF50410F54C0A61709B,SHA256=47F008FE13039CF36F4588A64E2AA5573575BC091C643B46E5E98BC88DED95A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036116Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:09.581{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036118Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:14.811{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B00F2527CA3B51F01EEDB66C61DF5F,SHA256=3C684C55C1DB2718EBD2BCB83A52DFDD6848DD520315FB97F844C605E79A3CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052675Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:14.741{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E079B9B711C947B40889D3AD46EB5C5F,SHA256=746A15489CF1588CC5EDBC2A8B2D1D6CD2A4B5C86CEBC3D31A9C75CE866D51EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036119Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:15.827{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C32EE3A90B2C94A6DE4BE6BEC7A4C45,SHA256=527DDD7725418607E0D82412F78BB45C10FBAE1D22C2C25CFB0F3AD5416E700C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052676Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:15.757{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07D0102652E63FE06E3F99298B0BD24,SHA256=8F1E828773AAE4CEAC156F500BD42B5DBAA8335832CEC5B711774B8122D9FA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052677Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:16.772{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EB7832CFFCF0CF5018A83F053FE5A5,SHA256=6009B565357E99309C444358C34289320708A2A2AB468046A47199A5ADE74E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036120Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:16.827{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D108D56B59B412FDC0FD4A9DD3C46AE,SHA256=2375E5C70A4493E0F96C4397981773CAE051DB469D45EB133F62FA9BC2F4EE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052678Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:17.788{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A804D4A07CD311A3BA0A36FD0D72C9,SHA256=582C10E89F949A5BFCF646E28FB48F444D9995CD63EE4E7F4DFC9D70FAC87745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036122Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:17.842{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC2BAFCFC5BD6DABDC17CAAA9D57ACB,SHA256=B7E6CED851773233E0A9D799B1B5C7909DBF1CCD7A339802329604E4B02A0239,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036121Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:14.690{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036123Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:18.858{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6D7CA194059EBA63DDB477D3A20A40,SHA256=62980FE68108013F5DB7C373E8142F76623157A28BBB002F57117FF7B231A40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052679Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:18.804{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD1FC51B5415EE5E5DE6966B570845D,SHA256=ACC22530E038F715739164A82BE8A024210C1ADD39FA8818D170A94C1BEF185E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036124Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:19.874{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A523F4964654AB100C2E3A70C8F3D6CA,SHA256=E9DF47E45ED3B6506BD7BE926C4A985C985FF2F29B058C2DFE5E54612451EE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052681Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:19.819{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C615EEC66295E186572DCC1680D77F31,SHA256=2D155C05E48232CC26CE70207728BA6B6CBCD12BBC887EF36269C1A1BED7DDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052680Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:17.025{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50072-false10.0.1.12-8000- 23542300x800000000000000052682Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:20.929{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE4A1867E5CEB4750B112A39F2396BA,SHA256=F49D57794E44DA5736DF884D0ECB171305E67E03BE1032A563322EDD58E26742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036125Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:20.889{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636B19EB9F8821F79D680741AE2044FB,SHA256=A44302B8099F42F1960ACA766366BC820644782A3D4A91CD84701BDFCBC67408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052690Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.945{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3EFA287583D2B43190ECE00CAC74C5,SHA256=1E7EF710D349FAEAF55A7E2056C96091410D7D36A25F36B7F7ACFF199383E9AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036126Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:21.905{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B52DC8A29B1A624CD4608DBCCFA5A17,SHA256=9EC65CE6009521AE6674091C1A3DB3F7BB4D73EC7F2AF54E05945534F61E206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052689Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052688Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052687Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052686Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.664{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052685Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.648{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052684Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.648{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052683Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:21.648{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052692Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.961{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23FEB639F525AED1339F05109476065,SHA256=16DE03F0D3E78D6E72C4DF6D946D587C3B80C20A6BAA29E8D244BFBF58731133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036128Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:22.920{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4500FB98D0E7FF4EA7626878CEC47FDF,SHA256=869A005AC6EB77F2F488463A34154C2CE029C3A625DED6DB5C0575E828C9E6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052691Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.135{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\respondent-20211018113419-158MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036127Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:20.675{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036129Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:23.936{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF74EBEEE83BCC931C7A477B86261F89,SHA256=2252240B3A64464343A777CA0AD278414297EA2573129C62BB85057D160B8390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052694Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:23.978{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63117EEFCEEF26216CFC85F5DB77FB27,SHA256=74A382591508EBD5A480DC53ECB61DDE3EAAFFA21F3CC790F0E088CC50C1FDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052693Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:23.149{8D4DD44E-5BB9-616D-2900-000000000402}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05dcb7a5482346836\channels\health\surveyor-20211018113417-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052699Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:24.994{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B26E485D13842047228DA0222FFE77,SHA256=FB4AADB7E659F11B7A01916A26615A286A0343B12E947756030C9A26511D34DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036130Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:24.952{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B8C36E9258072A883C168068F69CDE,SHA256=52D74581BAB745871A53037B8551F7E2215377B749A95CD44B44CDFAECAEF159,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052698Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.671{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local55637- 354300x800000000000000052697Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.670{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-185.attackrange.local53domainfalse10.0.1.14win-dc-185.attackrange.local50181- 354300x800000000000000052696Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.670{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local63626- 354300x800000000000000052695Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:22.669{8D4DD44E-5BB9-616D-2600-000000000402}2852C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local57802- 23542300x800000000000000036131Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:25.967{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48A2D5EBDE7B44014B0EBB01D3D2706,SHA256=1207CA335488E45A4A69016FDDDE79CF8CEA497AE5648B49833D13D6844DB839,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052700Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:23.040{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50073-false10.0.1.12-8000- 23542300x800000000000000036132Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:26.983{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3B574DCDE6D6103B61AEE3A4E782A5,SHA256=AD0B66AC3F244CD368B33C22ACCE93417AF7C66C87F2A5E8937686D107896C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052701Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:26.056{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0695F121BEE07409F0CF4F187BB6A9AB,SHA256=83149A375E65B3780220A1D389BE4A6248CD01E477A74226EA87892C37FC857B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036134Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:27.983{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48F1FD6BF19BFC267D7C4D9A1568F37,SHA256=0BCF80A4EB7808447AC6147DEFA6EFD8D17CB412D718EEE82AE259825760F83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052702Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:27.087{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D38444CFD1A85568BE545E0B8F17F1,SHA256=A2496691171D4313FE3136E82DBEF4622D29818BACA92C687838BE042150E562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036133Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:25.722{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036135Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:28.988{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FE6FF7BBC5C7982ADC6BE6BF906F4E,SHA256=E49A76587150BEB4863E653276D5D74ABBB8EDD2AC6D27F39971D14FDF5E3601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052703Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:28.119{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37E44A29DE35B80E7DE5E44FB25ABCC,SHA256=5EC5B92C09670DE2B07FBFB4847C11B9ED371CE4439EF90440B56531B868B788,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052732Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052731Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052730Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052729Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052728Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052727Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052726Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052725Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052724Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052723Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052722Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052721Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052720Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052719Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052718Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052717Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052716Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052715Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052714Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052713Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052712Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052711Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052710Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052709Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052708Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052707Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052706Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052705Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.152{8D4DD44E-5BA9-616D-0D00-000000000402}904928C:\Windows\system32\svchost.exe{8D4DD44E-79AD-616D-4409-000000000402}104C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052704Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:29.136{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C457AC54A3F0B91C33B808CE77EECB,SHA256=7D93DBDA317A7ECDB5395FF6FCA9FA142F42E68777FC3B50F0468C10BAA5E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052733Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:30.183{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344A15355C141D3B471A0B0D971AEA36,SHA256=1913922199EC8D4766F0A62A8B1CB89524EA01025DB07A1FA576BAF12FCFA2F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036149Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036148Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036147Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036146Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036145Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036144Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036143Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036142Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036141Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036140Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036139Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036138Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.722{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036137Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.723{6F8252D3-81FA-616D-DF07-000000000502}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036136Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:30.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E33C9B04835468C064F89186382AE32,SHA256=2245418FEB9538F50A02C7EB1CCB742A96AA8C0F0CB2702A1926BE8E73D02CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052735Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:28.983{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50074-false10.0.1.12-8000- 23542300x800000000000000052734Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:31.199{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A26548834E39DBA0D9602EACFFD9BD,SHA256=BA54EC3230EA7CCD7C19D9410F479E4942572424C688B675FD7A6279FFB97A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036179Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.956{6F8252D3-81FB-616D-E107-000000000502}14963864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036178Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFFC04A230F143E87FB5F795EB8F0148,SHA256=448227CD9A5E513C479ACAA696967ED49F8297F7E0A21EC1317C358BDA80A2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036177Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.769{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73E91C29B98EB75659848BEDC4CB01AE,SHA256=BDB6C2F260450AB83C7C2F5AEBF1E5C6B585DED4718664BED4041640DE656E2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036176Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036175Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036174Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036173Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036172Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036171Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036170Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036169Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036168Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036167Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036166Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036165Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.722{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036164Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.723{6F8252D3-81FB-616D-E107-000000000502}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036163Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036162Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036161Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036160Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036159Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036158Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036157Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036156Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036155Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036154Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036153Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036152Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.222{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036151Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.223{6F8252D3-81FB-616D-E007-000000000502}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036150Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.003{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B993001886E1E1EDD52ED088ECAB01,SHA256=C712359B0EBF2DCCC4C9F7ED77B126D4F6A17314E197C14CB5EB5EEEE3C3242A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052743Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052742Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052741Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052740Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052739Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052738Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052737Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.277{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052736Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.214{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DAFA4E9D958DD41F48E732FFD7FB5E,SHA256=39008112F4761ABB406BD19C3089A52096BDD63FCFD84C30FE2AAE67DE8D1947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036180Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:32.066{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1F5B7B27D98BAA3438FAF41B79953C,SHA256=DF84ED12A18C0056EBFBC43276B31353997966DCE6E1F5CABC656BB8789FD9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052746Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:33.543{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B092C427C4154FBD4FCE4F01D7310F3,SHA256=44E5AA0E89C1B322D9E8C8D35699DCC129A9E38DD4FBA159D038124DA6684B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052745Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:33.543{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8110F57FEB76BFFADFB0BF8CF378D7,SHA256=565F6C1A1A495D20252644D3FDC11B1E198544F64290E7C689962EC2ACAD26DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052744Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:33.230{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBC6A52263119E5B58E525DC4247FF4,SHA256=CBC9E976C03B2A8CD76E65208A7599FDF73D7CD76BE491C2DBE4825F3883E58C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036195Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.644{6F8252D3-81FD-616D-E207-000000000502}31601732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036194Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036193Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036192Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036191Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036190Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036189Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036188Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036187Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036186Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036185Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036184Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036183Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.331{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036182Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.332{6F8252D3-81FD-616D-E207-000000000502}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036181Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:33.081{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C675F4151018FF38854C0D9163F1E559,SHA256=7FAE66147DDD179F866634096D9171534F80DDD70345332B65D8B4ACB5A1CD32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036224Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036223Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036222Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036221Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036220Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036219Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036218Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036217Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036216Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036215Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036214Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036213Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.878{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036212Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.880{6F8252D3-81FE-616D-E407-000000000502}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036211Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:31.570{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036210Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036209Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036208Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036207Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036206Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036205Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036204Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036203Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036202Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036201Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036200Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5DB9-616D-0500-000000000502}412968C:\Windows\system32\csrss.exe{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036199Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.378{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036198Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.379{6F8252D3-81FE-616D-E307-000000000502}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036197Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.362{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFFC04A230F143E87FB5F795EB8F0148,SHA256=448227CD9A5E513C479ACAA696967ED49F8297F7E0A21EC1317C358BDA80A2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036196Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:34.097{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351AFA19EA42C01206BCB7BF4B799C0A,SHA256=1BAD157D875E86C4923FEF2D131B9E9225C4F29EDA9631CB1D9F60818BCE6C23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052749Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.342{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50075-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 354300x800000000000000052748Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:32.342{8D4DD44E-5BB9-616D-2C00-000000000402}3020C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-185.attackrange.local50075-true0:0:0:0:0:0:0:1win-dc-185.attackrange.local389ldap 23542300x800000000000000052747Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:34.261{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226343742FCA34FBE64BB79EC7D742A2,SHA256=8F393DE693F28F64B5EAA367B800A6D7CA2015EC563F9AADAAD30C4D644159FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036241Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.659{6F8252D3-81FF-616D-E507-000000000502}2596936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036240Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E52-616D-AA00-000000000502}38403052C:\Windows\system32\conhost.exe{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036239Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036238Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036237Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036236Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036235Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036234Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036233Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036232Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036231Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0500-000000000502}412528C:\Windows\system32\csrss.exe{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036230Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5DB9-616D-0C00-000000000502}728900C:\Windows\system32\svchost.exe{6F8252D3-5DBB-616D-1C00-000000000502}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036229Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E51-616D-A600-000000000502}32642512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036228Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.522{6F8252D3-81FF-616D-E507-000000000502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F8252D3-5DB9-616D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036227Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2F4E17B2A99A739A8CE23DEF3D1008,SHA256=0C7483891B4EA2D34A4220F1DF5CA289D7C72B7A25A1653E01C8F8948294A921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036226Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.519{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA8870F9C84C0CDB3E4702DFB25A032,SHA256=3A7FAF035A4033F5558ECDEA52DB7CE914FC1CD84C6B5BEC0342BFE7135397D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052751Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:34.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50076-false10.0.1.12-8000- 23542300x800000000000000052750Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:35.277{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5E2191F8CF0D51B011FEA8BAF39721,SHA256=0A7F72D0C2C3264A6DA1110FF356F16A8D9071889FC37E352B18510C62BAF12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036225Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:35.019{6F8252D3-81FE-616D-E407-000000000502}39563268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F8252D3-5E51-616D-A600-000000000502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036243Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:36.566{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8C846B93636E3B57264DDFB81C423E,SHA256=A0E6DB815527A781B281207C3DF96E94AE0102CF6D571F6F51DCF07306E240BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052752Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:36.308{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9A0AA547C8C2BFFAB85E8F7E698C11,SHA256=8925B99467D0B22B5475892EDF394C2CAF030DA44D51D9D281CF731A2D69D21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036242Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:36.534{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394D0D98CE9C77BE5496481A92048A17,SHA256=C24C8C3010BF7A640BCFF267DEE677B9C258529E42B9A26B636C29744A14C487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036244Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:37.581{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E236637A50566688A6081055974C73C,SHA256=4CE72D6512BACE6DE39DDAE0CC197398E92062244085F52B4383CD58598475FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052753Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:37.339{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D8539BB4F057F8BFB21AD25CC2C6A9,SHA256=A8350CEEC249462DD07F5253F218E60AC9E62C6C2B2330E230A0DD251DDC63AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036245Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:38.597{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A3024F1D7066B4D55E0ECEAAC041B3,SHA256=E478AED28F7097BADEBDFE661C7ADF07576B367DA7EBADCE52B1741E9D5E3717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052754Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:38.371{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE0EADC3EF093438C0656365AF02F6,SHA256=26B1A978A5B9B8C93FE99545064B9D0AC04EABC2B855E2667965E2B0F870D695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036246Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:39.644{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A84D648D34F99CD00A8760ED506716,SHA256=E2FC211345998F994EBCF02ED77F9B4F976A08B00A57CEED0B070330464E5EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052814Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052813Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226 10341000x800000000000000052812Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226 10341000x800000000000000052811Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x800000000000000052810Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.621{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+16d419 23542300x800000000000000052809Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.433{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA994D616D25225868BE18592325712,SHA256=4200E1187BFD31B86395E253DCF92FDB1A930BF6429FDC3FBDB03CC29AD6D12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052808Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.417{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6011D2F51F2ABB093B9CCC3644C23EF3,SHA256=F8A4F416D4DA37FE2DC52A25CF936EB3CD211DFBCACF8B621B281EFDA13A452C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052807Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052806Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052805Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052804Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052803Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052802Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.355{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052801Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052800Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052799Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052798Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.339{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052797Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052796Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052795Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052794Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052793Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052792Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052791Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052790Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052789Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052788Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052787Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052786Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052785Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052784Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052783Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052782Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.308{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052781Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052780Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052779Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052778Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.292{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052777Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052776Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052775Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052774Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000052773Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x800000000000000052772Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052771Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.277{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000052770Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8|C:\Windows\System32\SHELL32.dll+13dafb|C:\Windows\System32\SHELL32.dll+13dc67|C:\Windows\System32\SHELL32.dll+13dbea|C:\Windows\System32\COMDLG32.dll+10e08 10341000x800000000000000052769Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8|C:\Windows\System32\SHELL32.dll+13dafb|C:\Windows\System32\SHELL32.dll+13dc67|C:\Windows\System32\SHELL32.dll+13dbea|C:\Windows\System32\COMDLG32.dll+10e08 10341000x800000000000000052768Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8 10341000x800000000000000052767Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.261{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea77|C:\Windows\System32\SHELL32.dll+13def8|C:\Windows\System32\SHELL32.dll+13dafb 10341000x800000000000000052766Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x800000000000000052765Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x800000000000000052764Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x800000000000000052763Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.246{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028e3|C:\Windows\System32\SHELL32.dll+103044|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x800000000000000052762Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.183{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801F54DDD08)|UNKNOWN(FFFFDFE6026A5B48)|UNKNOWN(FFFFDFE6026A07F5)|UNKNOWN(FFFFDFE6026A1D1A)|UNKNOWN(FFFFDFE602702225)|UNKNOWN(FFFFF801F51F6103)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9824 10341000x800000000000000052761Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e84e|C:\Windows\System32\SHELL32.dll+13e466|C:\Windows\System32\SHELL32.dll+13dee3|C:\Windows\System32\SHELL32.dll+13dafb 10341000x800000000000000052760Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e84e|C:\Windows\System32\SHELL32.dll+13e466|C:\Windows\System32\SHELL32.dll+13dee3|C:\Windows\System32\SHELL32.dll+13dafb 10341000x800000000000000052759Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x800000000000000052758Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.168{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e84e 10341000x800000000000000052757Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.011{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+c5d8a|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2599|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226|C:\Program Files\Notepad++\notepad++.exe+1f8115|C:\Program Files\Notepad++\notepad++.exe+1e4a6d|C:\Program Files\Notepad++\notepad++.exe+1e8bdb|C:\Program Files\Notepad++\notepad++.exe+1e3b11|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 10341000x800000000000000052756Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.011{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d78|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2599|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226|C:\Program Files\Notepad++\notepad++.exe+1f8115|C:\Program Files\Notepad++\notepad++.exe+1e4a6d|C:\Program Files\Notepad++\notepad++.exe+1e8bdb|C:\Program Files\Notepad++\notepad++.exe+1e3b11|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x800000000000000052755Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.011{8D4DD44E-8034-616D-1F0A-000000000402}64964568C:\Program Files\Notepad++\notepad++.exe{8D4DD44E-79A3-616D-3609-000000000402}4800C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d78|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2599|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+16d419|C:\Program Files\Notepad++\notepad++.exe+16af23|C:\Program Files\Notepad++\notepad++.exe+208a5a|C:\Program Files\Notepad++\notepad++.exe+208226|C:\Program Files\Notepad++\notepad++.exe+1f8115|C:\Program Files\Notepad++\notepad++.exe+1e4a6d|C:\Program Files\Notepad++\notepad++.exe+1e8bdb|C:\Program Files\Notepad++\notepad++.exe+1e3b11|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 23542300x800000000000000036248Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:40.675{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4203441679D48CFD00A7210B520154E3,SHA256=D0ED344111BAB15C7EC08870ABC10DEC2010430542A4F7A484E6DC963A4E0AC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052819Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.064{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50078-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000052818Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.064{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50078-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local49666- 354300x800000000000000052817Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.062{8D4DD44E-5BA9-616D-0D00-000000000402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 354300x800000000000000052816Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:39.062{8D4DD44E-5BA6-616D-0B00-000000000402}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local50077-truefe80:0:0:0:499a:5ff5:cd3f:fbdewin-dc-185.attackrange.local135epmap 23542300x800000000000000052815Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:40.433{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA66C19BAA1B46F51F1084AF02DE866,SHA256=49CB56D07F4EA148641EFE442FF98FFE9C42DB5783E864698F5103E67E938EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036247Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:37.538{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036249Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:41.691{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C38F4E206FA04867B767EFDA441A51,SHA256=BEFAF50697C11FA86CCD45382C8377FC539B8BCA06D6D3BC78434494FAE75535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052824Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.980{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052823Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.964{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052822Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.964{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000052821Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.949{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exeC:\Temp\del.bat2021-10-18 14:17:41.949 23542300x800000000000000052820Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:41.480{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1655103FACFCC6DF24F19CBBC5821FD3,SHA256=E0BF1D76322A0F644C0820A6BC1386B78D6780E97656A53238B56C4CA0FC7F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036250Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:42.722{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C718694F64F46C56304EE25F26842D,SHA256=B9A8CA2C9229D55A131167319042F3161F368F8DDECEA0AB8251D2412A8EF10C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052828Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:40.076{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50079-false10.0.1.12-8000- 23542300x800000000000000052827Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:42.481{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C352ADD0BC90C190A20F3886116E56C,SHA256=080CABC5991BF2A3ABFEABFC439CCB698463DFA84820B0097ABE93B8CDBD8C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052826Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:42.042{8D4DD44E-8034-616D-1F0A-000000000402}6496ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-10-18_141739MD5=44291DF60B49039EE0BD1DC5E3FB7FEE,SHA256=BA08452FD6EB153DA7CC7626ADB6CFAB49DEA9CB874216C184D61A5B5039971B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000052825Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:42.027{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exeC:\Temp\del.bat2021-10-18 14:17:41.949 23542300x800000000000000036252Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:43.850{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\respondent-20211018114253-150MD5=2CB5601F5EDCA21E63E0E40ACBE3ABA7,SHA256=0D77ED474202710A0E95D2759556AB1551A681C71D327764AEA259A6D67A6999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036251Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:43.723{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697D95D7AF95DCA43D6597E24A81E397,SHA256=4F385A9C09B48F80ABED2FC43EEEE821577C0395AF2601A62FA7B33D9CF58B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052829Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:43.496{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638DD71CC022F2837E42DA30C102E300,SHA256=C5ED185F6D82CF389C87A17D11D979DFF96409C5393BCE2D4046C2D601D2772B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036254Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:44.864{6F8252D3-5DBB-616D-1A00-000000000502}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bbc1b6cc737a83c0\channels\health\surveyor-20211018114251-151MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036253Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:44.754{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B310F41B783B4DA2AE6302102F2BF8D6,SHA256=1EC7B4306D3EE24FAEC13B03A176CFC3EBFE7F2031ED80B360584B5CD4EA8A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052830Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:44.511{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FDA2AB0378F1F00EB3F99D153823C,SHA256=633F61FA828D15CB7152E27D96749D3858E1513CA21D67573B0D53F34697BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036255Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:45.754{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC01B50AABB9D5BC55F56F14CCB6DF6,SHA256=03E20B51BF7CFF35E665D20A7F412593E334981A67EF8E9CD0EC4171D1688335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052831Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:45.527{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A4735DBD255D77FCAD71283C8A5E88,SHA256=712CCB3D073A59193B9C9A5976F7F31BF20404AA8B93D2FD48CA46539DD6936A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036257Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:46.770{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06084AB4AEBDB1AEE46E765D8A48763,SHA256=1FB07A9487054A2AAAA09E12F6B45A18354898C66FD28922D0FE62098261C53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052832Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:46.652{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DCF51322D0C7FA18BB0D539CCCAC9E,SHA256=EA1D0C7F3F9BE5962BCF32EDE98A34E043E10F8D22E0CDB5723F0AF71CADBEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036256Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:43.539{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036258Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:47.785{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14425EC236CCF096B893AD2D3A706AC,SHA256=BD43408461BBE5DDC54E4A8AFD524AFBD53E5BAC7A98EFEC223CFB2413C295F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052834Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:45.982{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50080-false10.0.1.12-8000- 23542300x800000000000000052833Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:47.667{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AAEDCB0BB93342B25755249BC80766,SHA256=EE892767B39885D7557D692EE4BDEF5BA15E2B165A75B6A7750F0F8EF1F721BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036259Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:48.786{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF94D5F6549CF010C3D69139761F7AD,SHA256=1EA648B2EE83DB9301535CA864185EB77FECD90A3B58C1F9DFC5A9945E76A63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052835Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:48.670{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B91851479287033BF1014F6C8663D98,SHA256=5CEF3DDE26EC09B6CEF2920A6329AF5598FAE2E4D6F695D4E4A5E1BBFB3093B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036260Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:49.802{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D33E6EBC6855A65000F99540E0FD5,SHA256=55644087CB9018E4D1EF4DC56507D4E59187AF7FFEE0CB3569606B81565C0EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052836Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:49.685{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABF052C9DD5198CEAD2BF2F6868C52D,SHA256=D62BFEB599DF33882788051DC619D40C2512F7FE0606DC37E33900899F757E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036262Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:50.864{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7CF2AEC9D337C3AAFB64904FC27A7D,SHA256=7A1DEF873AAF5D2D1D026F32B91221E14A2EE69164695C779B95F950C3A7B0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052837Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:50.701{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001D67692EA70D6E8D0E3A0A45EC1949,SHA256=C19648910786472F4042581514EF7D446B7F00D00E4722BD0093FA6B5E0B4A30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036261Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:48.571{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51603-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036263Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:51.958{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD92206C7B44ACB2FF3847BF980E547,SHA256=F1AB374864298E45E7E2C638CB01703427FC175459EAC3039263F642A201918C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052838Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:51.717{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FFFDD1F00B309F460C2F91DF090934,SHA256=2F9ECE8BB638015292949760F46D1B66B236994A6E555CDA3EB3EA74F30EEAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036265Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:52.974{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B872867788CBC773B43B5EB7E319C3,SHA256=717CADA56758269CC62AA8D60171F1D16D26F5F5E44B2AD5CFB7918ACDD86B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052843Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:50.985{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50081-false10.0.1.12-8000- 23542300x800000000000000052842Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.732{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A348AD26D272A143DE1E8F1CAE33C2,SHA256=27D5D9373CCF1B03C866FEDC280DF5908F953F678DD751A048638B9F7802BDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036264Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:52.208{6F8252D3-5DBA-616D-1300-000000000502}300NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9199187193BFB3116173A216E0FA2E9,SHA256=AFA04680095534BEB7CB0C370A5C2573F3233BE0DE2CFF498A25BCAAA1796DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052841Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.154{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052840Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.138{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052839Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:52.138{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036266Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:53.989{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7DE9B37815EB22F57B7FC9E263B55C,SHA256=F10B168A9C41E36B9EADC80B71EEFAAA066BD0515F4B3F0E25ACB77E0F8DF986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052851Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFCC423A16CDACE42EDB300A2EF3409,SHA256=2E9CE8316A23002D8EDC86F7517410B4562428CE6297E150DD231448F9732374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052850Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052849Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052848Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.779{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052847Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052846Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052845Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052844Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:53.763{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036267Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:54.991{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314E7AFABDC2BF9D62FD17745D88B3B5,SHA256=1D160174EE08F3A01B3F4FBB850AECC3610596469D4A75E38A406E4FB68D0066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052852Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:54.826{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B1C51FE7CF067354448978ED23929B,SHA256=6FCEA946B2177C3D820B67715F7181FCCD0FD01135BB9F5182D1BB51830218DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052856Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.841{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975955CA2ACF1B910821CC8986E25049,SHA256=DEAF94D4DDF75D853ED234CE6EEA624A30DEB618598F53D021D60261C0049CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052855Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.779{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-79A2-616D-2D09-000000000402}4520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052854Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.779{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052853Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:55.779{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BB9-616D-2A00-000000000402}2996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052858Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:56.873{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FA0C0B30F404A1965EBB5EF4CE7237,SHA256=537FB9BE75F11936F018F689B0085B9EAD86B618DCA69DDC32F9904F21CC4A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036269Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:53.572{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036268Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:56.006{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C773573AFE4C66A1E79498ED226891C,SHA256=E275F319BC3BBC933DAF2AA04CE6D3FBC3BBF3438EF2B0C9A33D0550ACF8C833,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052857Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:56.841{8D4DD44E-5BA9-616D-0D00-000000000402}9043796C:\Windows\system32\svchost.exe{8D4DD44E-5BA9-616D-1600-000000000402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052859Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:57.919{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39710677910D80AD2FEE50812EA09096,SHA256=F2C4C4AAE19308C2D807F6873F43B69C7647F128DE5931271FB8840F1730C5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036270Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:57.038{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4339EDEA1923E38569322FFCE50C27D,SHA256=5BF4DD7FD2B448D9019648A7F16B70DB7FBD679C6A2228DFC351C9D442CF30E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052867Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.935{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B1E7B5C5CE6904DD56E435AAC08B69,SHA256=5A0ED2C7755C01CC05B712911C8A3A678AEB28771506C2E4B09B5D0AEF156884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036271Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:58.069{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BEA1CBDCA8186996DB61CCCD1B5796,SHA256=24E46AE25CA32173B5096D3091E172C3D9D5801F25EC6066F663CF91DB89DF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052866Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052865Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052864Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5A09-000000000402}6860C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052863Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052862Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052861Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052860Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:58.341{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-79CE-616D-5B09-000000000402}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052869Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:59.966{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6CA4F9623BC98BF0E45876ACBB02E2,SHA256=6601A81C76D73FF79CF5D7FD9523A242F86A517CC0A4E3F7FF482B760DEE03EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036272Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:59.100{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CB162B847F3CC58BEC6F53F97FB8CF,SHA256=07B9DB64F82D4ED6A8CED270B034CDF60F4ED7C0591B027A7D73F4D1141B6995,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052868Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:17:56.938{8D4DD44E-5C25-616D-D200-000000000402}2624C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-185.attackrange.local50082-false10.0.1.12-8000- 23542300x800000000000000052870Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:00.982{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076D95FA2FD451630FC80FE5EB0BBCB8,SHA256=9A9AFAE770C4625B74CCD7962DAB9DBAB82AF51AD7E06FC256BC74AC025F61DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036273Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:00.131{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAF604356530BA47F7DFE16B539ADD3,SHA256=DEE30AC8DB78346845D6B6FB2510CBB990ECF0146DD42A7FD552D78F02AE261E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036275Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:17:58.650{6F8252D3-5E5A-616D-D400-000000000502}652C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-470.attackrange.local51605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036274Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:01.163{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FDB3B552647D92628AE2D79911C0F,SHA256=083819C327703C36FE3C0FDC25AE35286F49F336C0BAD4E58F846290C50EFADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036276Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:02.194{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C490E5960A23F2D140BEDCDF1A8410,SHA256=9E5087A983445706549EA9E203C5257BB4CD6CDCB0A8381EB03537F92F59F5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052874Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:02.997{8D4DD44E-5BA9-616D-1100-000000000402}372NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9F9FD94684E5CACBD64B8E4A8B367224,SHA256=DC307E62F73EE7EEC80CA780C73EB7D680B1EA1B7B8F911045633B87001B4D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052873Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:00.050{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-185.attackrange.local138netbios-dgm 354300x800000000000000052872Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:00.050{8D4DD44E-5BA4-616D-0100-000000000402}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-185.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000052871Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:02.029{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A967C74432B4D4F75206436A0B5419E3,SHA256=8B8DA00E6259A1A9BE404887509653545FBC09392E84BD88301E1448B2106FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036277Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:03.210{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E749E5F37912555C41CF42C73633C39,SHA256=C4ED21638E20F6AF57969C9E96353D34780A369B6D0E28090993CCDAF1A10ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052875Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:03.044{8D4DD44E-5C2B-616D-DB00-000000000402}3152NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E322F8B94FAF55437AD1FF825506491,SHA256=A815BAA59FFDFDB491F557372FADDF6A724331210DB64FDE36CDA29D45953F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036278Microsoft-Windows-Sysmon/Operationalwin-host-470.attackrange.local-2021-10-18 14:18:04.209{6F8252D3-5E60-616D-DD00-000000000502}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8873DED1FC54DCB3D27BB5E6BC2109,SHA256=F12079CAE067967BC053F9A2378981DABD8BEAEAFFD4FFDEE0EA82E54B22E8E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052897Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052896Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052895Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.966{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-390A-000000000402}1964C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052894Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052893Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052892Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052891Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.950{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-80C1-616D-3A0A-000000000402}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052890Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.857{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052889Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.857{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052888Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.857{8D4DD44E-79A3-616D-3609-000000000402}48002008C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052887Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.841{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052886Microsoft-Windows-Sysmon/Operationalwin-dc-185.attackrange.local-2021-10-18 14:18:04.841{8D4DD44E-79A3-616D-3609-000000000402}48004556C:\Windows\Explorer.EXE{8D4DD44E-8034-616D-1F0A-000000000402}6496C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791